While a large-scale hack targeting JavaScript crypto dependencies could have caused serious damage, it failed. In total, barely $500 was stolen.
Hack targeting JavaScript crypto dependencies fails
On Monday evening, we warned of a vulnerability with the potential for significant damage, as large-scale exploitation could have put many crypto wallets at risk. In short, the attack targeted a developer’s account on the JavaScript package manager NPM. Since this developer has a large following, more than a billion downloads of fraudulent programs would have been made, theoretically giving attackers the ability to divert funds by falsifying addresses on applications using these packages.
Despite everything, this case caused more fear than harm, since Arkham’s data reveals that a total of just $500 was stolen:
On X, Charles Guillemet, Ledger’s CTO, explains that the attacker’s mistakes allowed for quick detection of the maneuver. However, he warns that these types of threats should not be taken lightly:
Nevertheless, this is a clear reminder: if your funds are stored in a software wallet or on an exchange platform, a single code execution separates you from total loss. Supply chain compromises remain a powerful vector for spreading malware, and we are also seeing the emergence of more targeted attacks. Hardware wallets are designed to withstand these threats. Features such as clear signatures allow you to confirm exactly what is happening, and transaction checks flag suspicious activity before it is too late. The immediate danger may have passed, but the threat is still there.
Several wallet developers, including MetaMask and OKX Wallet, have stated that their applications remain secure.
