Phishing, Bugs, and Billions at Stake: Lessons From NPM Crypto Exploit Near-Miss

A failed attack on popular Node Package Manager (NPM) libraries sent shockwaves through the crypto world on Monday.

Hackers targeted major packages to hijack cryptocurrency transactions across multiple blockchains, but due to coding errors, the breach caused minimal loss.

Still, experts warn that the incident highlights ongoing risks for software wallets, exchanges, and any platform that automatically updates code libraries.

NPM Attack Hits Popular Libraries

The attack reportedly started with a phishing email sent from a fake NPM support domain, which allowed hackers to access developer accounts. Malicious updates were then pushed to libraries, including chalk, debug, and strip-ansi.

The injected code attempted to intercept wallet addresses on chains like Bitcoin, Ethereum, Solana, Tron, and Litecoin.

Charles Guillemet, Ledger's CTO, commented on X: “The attack fortunately failed, with almost no victims. It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates.”

According to Guillemet, the injected code targeted web crypto activity, affecting Ethereum, Solana, and other blockchains, hijacking transactions and replacing wallet addresses directly in network responses.

Read more: Hackers Exploit JavaScript Accounts in Massive Crypto Attack Reportedly Affecting 1B+ Downloads

“If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply-chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge,” he said.

Understanding the Threat

Anatoly Makosov, CTO of The Open Network (TON), also addressed the matter by explaining the mechanics of the attack on X and that only 18 specific package versions were compromised.

Makosov said developers who deployed builds shortly after the malicious updates, or who rely on auto-updating libraries, were most exposed. “Developers of multi-chain products should check their code, especially if they have released something today,” he warned.

Makosov emphasized that all earlier and newer versions of the allegedly attacked packages are considered safe. Fixes have been published, and developers are urged to reinstall clean code and rebuild their applications.

Minimal Impact, Major Lesson

Despite the sophisticated attempt, the financial impact was limited. Guillemet credited early detection to errors in the attackers’ code that caused CI/CD pipeline crashes.

“Hardware wallets are built to withstand these threats,” Guillemet said. Ledger devices include Clear Signing, letting users verify transactions on a secure screen, and Transaction Check, which warns of suspicious activity. “Your private keys and recovery phrase remain safe. The immediate danger may have passed, but the threat hasn’t. Stay safe,” he added.

Makosov and Guillemet both emphasized that vigilance is crucial. Developers should lock dependencies to safe versions and avoid dynamic updates, while users should avoid blind signing and always verify wallet addresses.

Meanwhile, crypto wallet provider Ledger has assured its users that its systems remain safe.

“Ledger devices are not and have not been at risk during an ecosystem-wide software supply chain attack that was discovered. Ledger devices are built specifically to protect users against attacks like these,” the company explained.

Developers have now been urged to examine their projects’ package files for affected versions and update or rebuild with secure releases. Users, meanwhile, should avoid blind signing and always verify wallet addresses before confirming transactions.