A targeted attack is hitting the JavaScript ecosystem via widely used NPM modules. By compromising the account of a reputable developer, attackers are injecting malware capable of modifying crypto receiving addresses on the fly, exposing users to a high risk of theft during on-chain transactions.
What’s happening? Malware is hijacking your crypto addresses
An unprecedented supply chain attack, targeting components, libraries, tools, and services used by developers, is currently hitting the entire JavaScript ecosystem and, by extension, the cryptocurrency ecosystem.
The NPM account of the developer “qix,” maintainer of many popular libraries, was recently compromised.
As a result, malicious versions have been released for widely used packages (small reusable code modules) such as “chalk,” “strip-ansi,” “color-convert,” “error-ex,” and “is-core-module.”
With several hundred million cumulative weekly downloads, these packages are now widespread in the Node.js ecosystem, affecting thousands of projects.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
Although the situation seems catastrophic at first glance, this attack only affects websites that published an update after the NPM package in question was compromised. Projects that have not yet updated are still using the older, uncompromised version.
The injected malware is believed to be a sophisticated “crypto-clipper”:
- It intercepts your network requests and crypto transactions;
- It detects Bitcoin, Ethereum, Solana, etc. addresses in the data,
- And discreetly replaces them with the attacker’s addresses.
This means that even if you think you are sending funds to a legitimate address, the malware can change it in your browser or phone at the last second.
The code operates on several levels: it manipulates the content displayed on websites, API responses, and what your applications believe they are signing. This makes the attack particularly dangerous for those who do not use a hardware wallet.
How can you protect yourself?
If you use a hardware wallet (Ledger, Trezor, etc.): you are protected as long as you carefully verify that the address on the wallet screen (not your phone or computer) is correct before signing.
If you use a software wallet or even interact with smart contracts: immediately suspend all on-chain transactions.
It is best to wait until the situation is back under control before resuming your activity.
A SwissBorg partner has just suffered an incident resulting in the loss of 193,000 SOL
Although we cannot yet know if these two stories are related, the SwissBorg exchange platform recently stated that it had identified a flaw related to its partner Kiln’s API, impacting its “SOL Earn” program for approximately 193,000 SOL, or less than 1% of its users.
According to the company, the application remains secure and usable. SwissBorg immediately mobilized its SOL cash reserves to compensate for the losses and has reportedly already begun working with cybersecurity experts to recover the stolen funds. Affected users should be contacted by email shortly.
