One web developer’s compromised npm account triggered a large-scale supply chain attack, but the hacker only got a few cents in crypto, analysts say.
An unknown hacker pulled off what may be the largest software supply-chain attack ever, but still made less than the price of many memecoins.
On Monday, Sept. 8, a hacker broke into the account of a well-known JavaScript developer known as “qix” and pushed malicious updates to dozens of widely used software tools for building websites and apps, which together are downloaded more than two billion times each week.
After gaining access, the hacker added malicious code to all of the developer’s packages, which wasn’t a virus in the traditional sense but was still designed to steal cryptocurrency from users’ crypto wallets in browsers.
The attack immediately caused chaos as developer updates are usually automatically trusted, so when new versions come in, many projects and apps accept them without checking, letting the hacker’s code spread fast.
Snir Levi, founder and CEO of compliance and threat management platform Nominis, told The Defiant that the modern software supply chain is “incredibly interconnected,” as a single compromised npm account can cascade across thousands of projects and businesses in minutes, because code reuse is the “backbone of the entire ecosystem.” Npm is a registry for JavaScript software packages.
“The stakes aren’t just technical – a malicious package in a critical dependency can impact millions of users, move billions of dollars, and undermine trust in the integrity of the industry. This incident highlights that security isn’t just about protecting infrastructure; it’s about protecting every link in a vast, invisible web of trust,” Levi explained.
The malicious code, mainly targeting Ethereum and Solana transactions, was created to swap destination addresses to the hacker’s wallet, the Security Alliance wrote in a post-attack blog post on Monday.
The cybersecurity experts say that the code also tried to rewrite crypto addresses inside web traffic with look-alike ones.
‘Generational Fumble’
While on paper the attack was catastrophic, in terms of actual losses, the Security Alliance says that the hacker made only about $0.05 worth of ETH and $20 in a memecoin.
“Despite the magnitude of the breach, the attacker appears to have only ‘stolen’ around 5 cents of ETH and 20 USD of a memecoin with a whopping 588 USD of trading volume over the past 24 hours,” the Security Alliance said.
Commenting on the attack in an X post, samczsun, a pseudonymous white hat hacker and the founder of the Security Alliance, described the incident as a “generational fumble, the likes of which we will probably never see again.”
Harry Donnelly, CEO of digital asset recovery company Circuit, suggested in commentary for The Defiant that this attack is far from the last one as there are “many dependencies and vulnerabilities in the crypto supply chain.”
“This attack is an example of how something as small as an open-source package installed by one developer can create an unintended attack vector. Having measures in place to respond to malicious activity, even if the payload is replaced, is critically important to prevent funds from being stolen,” Donnelly added.
Source: https://thedefiant.io/news/hacks/npm-supply-chain-attack-on-crypto
