A new cyberattack has put millions of crypto users on alert after hackers slipped malicious code into NPM, the software registry that powers thousands of apps and websites, including many tied to crypto wallets.
For non-developers, NPM (Node Package Manager) is like a giant library of free building blocks that software developers use to create apps. Every time you interact with a wallet extension like MetaMask or a DeFi dashboard, chances are some part of its code comes from NPM.
The problem is, if attackers sneak malware into one of those building blocks, it can spread to thousands of apps without users realizing. With more than 2 billion downloads every week, NPM is the plumbing of the internet, and a prime target.
Developers first noticed something was wrong when code builds started failing. Researcher StarPlatinum explained:
“Developers first noticed strange build errors like fetch is not defined. When they inspected the code, they found heavy obfuscation hiding functions like checkethereumw. A clear sign this was targeting crypto.”
Once inside, the malware had two tricks. As Minal Thukral detailed:
“The malware uses two sophisticated methods:
– Clipboard Hijacking: When you paste a wallet address, it stealthily swaps it with an attacker’s look-alike, making it extremely hard to spot the difference.
– Transaction Interception: It directly hooks into your wallet’s functions. When you go to sign a transaction, it changes the recipient’s address in the background before the confirmation prompt even appears.”
You could think you’re sending coins to a friend, but the malware might quietly reroute them to a hacker.
So far, the attacker’s Ethereum wallet and several backups have been identified, and no stolen funds have been moved. But the fact that the code ran in apps with billions of downloads has shaken trust.
sol.engineer summed it up:
“This code runs behind the scenes in apps with billions of downloads each week. Even big companies rely on it. Which means: any Solana platform, any wallet and more could be affected.”
The first step is slowing down. Many crypto users only check the first and last few digits of wallet addresses when sending money but that’s exactly what attackers exploit.
As sol.engineer warned:
“Double-check every address before sending, slow down & verify every single character (NOT just first/last 4).”
