A massive cyber attack has been uncovered, targeting cryptocurrency users during transactions, in what security researchers describe as the largest supply chain attack in history. According to a report by Bleeping Computer, hackers have injected malware through phishing emails, which steals crypto from unsuspecting users.
The attack specifically targeted JavaScript developers with fraudulent emails that appeared to come from [email protected], a spoofed domain that mimics the legitimate NPM registry. The phishing messages warned developers that their accounts would be blocked on September 10 unless they updated their two-factor authentication registration information via a malicious link.
Scope of the Attack
The attackers have successfully compromised 18 widely used JavaScript packages, with collective weekly downloads of over 2.6 billion. The affected libraries include essential development tools such as “chalk” (300 million weekly downloads), “Debug” (358 million), and “ANSI styles” (371 million), which impact nearly the entire JavaScript ecosystem.
The malicious code acts as a browser-based interceptor, monitoring network traffic for crypto transactions on Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. When users initiate crypto transactions, the malware replaces the target wallet addresses with attacker-controlled accounts.
Consequences and Risks
Aikido security researcher Charlie Eriksen explained that what makes this attack particularly dangerous is that it operates on multiple levels, including changes to website content, API call manipulations, and manipulations of users’ apps who believe they are signing legitimate transactions.
Ledger CTO Charles Guillemet warned crypto users of the continued threat, noting that the JavaScript ecosystem may be compromised due to the massive download numbers. Hardware wallet users are protected if they check transaction details before signing, while software wallet users are at a higher risk. Guillemet advised, “If you don’t use a hardware wallet, you shouldn’t be doing on-chain transactions for the time being.”
Expert Insights and Recommendations
Guillemet also expressed uncertainty about whether attackers can extract seed phrases directly from software wallets. The attack represents a significant supply chain risk, where compromised development infrastructure affects end-users. By infiltrating packages that have been downloaded billions of times a week, attackers have gained unprecedented access to cryptocurrency applications and wallet interfaces.
Bleeping Computer identified the phishing infrastructure, including the domain “Websocket-api2.publicvm.com”, which demonstrates the coordinated nature of the operation. This incident follows similar JavaScript library compromises in 2025, including the July attack on “Eslint-Config-Prettier”, which had 30 million weekly downloads, and March compromises of ten popular NPM libraries.
For more information on this developing story, please visit the source link: https://cryptoslate.com/largest-supply-chain-attack-in-history-targets-crypto-users-through-compromised-javascript-packages/
