logo
  • menu
  • Markets
  • ETFs
  • Live
  • Spot
  • Futures
  • Bots
  • Learn
  • Sign In
  • Sign Up
  • Downloads
  • English
  • |
  • USD
  • |
Sign Up
Crypto PricesLearnLatest NewsDownloadsMarketsSpotAnnouncements
Home/
Latest News/
Industry

Largest NPM attack in crypto history netted under $50. researchers say

By Christopher Smith
Sep 9, 2025
3.8 
★
★
★
★
★
★
★
★
★
★
 228 User Rating
Share

A massive supply-chain compromise of popular Node Package Manager (npm) libraries has sent shockwaves through the developer and crypto communities — yet, remarkably, attackers appear to have stolen less than $50 so far. Security researchers say a prolific maintainer's npm account was phished and malicious versions of widely used packages (including chalk, strip-ansi, color-convert, and others) were published; the injected payloads targeted cryptocurrency wallets by swapping addresses during transactions.

What exactly was compromised — and how widespread is it?

Security trackers and maintainers report that a single maintainer account (known on npm as qix) was taken over in a phishing incident, enabling attackers to publish malicious updates to many small-but-ubiquitous utility packages. The affected modules sit deep in dependency trees and collectively receive billions of downloads per week — which is why the incident is being described as one of the largest npm supply-chain compromises ever.

How did the malware work — could it drain wallets?

The injected code behaves like a crypto-clipper: when a user or dApp constructs an on-chain transaction, the malware can silently replace the recipient address with an attacker-controlled address before the transaction is broadcast. Researchers also note sophisticated delivery techniques in some related campaigns — for example using on-chain data (Ethereum smart contracts) to hide or deliver secondary payloads — which complicates detection and attribution. Importantly, many security researchers stress that a user generally must still initiate or approve a malicious transaction for funds to move, so hardware wallets and careful UX checks reduce exposure.

How much did the attackers actually steal?

According to crypto-intelligence platform Security Alliance (SEAL), blockchain traces show the attackers have so far received only tiny amounts — Cointelegraph cites SEAL saying the malicious Ethereum address identified was 0xFc4a48. and the total observed take was under $50 (the first flagged transfer was as small as $0.05 and was later reported as roughly $50 when memecoin transfers were included). Etherscan data linked in reporting shows meme tokens were among the small receipts to the malicious address. That slim haul stands in stark contrast to the theoretical scale of the compromise.

Who's exposed — developers, end users, or both?

Because packages like chalk and strip-ansi are rarely installed directly by end users but are embedded transitively across many projects, both developers and end users are at risk: developer workstations, CI pipelines, and web apps that pull compromised versions could run the payload, and users interacting with affected dApps may encounter address-substitution attempts. Security teams that automatically deploy dependency updates or that don't lock transitive versions are particularly vulnerable.

What should teams and users do right now?

Security and tooling vendors — and maintainers — recommend an immediate triage checklist:

Freeze and audit: don't deploy or ship builds that pulled the affected package versions until maintainers and package registries confirm clean releases.

Pin and verify: pin transitive dependencies to known good versions, and use lockfiles or SBOMs to identify impacted builds.

Scan and roll back: run SCA (software composition analysis) scanners and revoke or rotate any compromised tokens/keys tied to affected CI or publish pipelines.

Use hardware wallets / double-check addresses: end users should confirm destination addresses carefully and prefer hardware wallets for high-value transactions; vendors such as Ledger warned users to be cautious while the ecosystem cleans up.

Why the low take doesn't mean “no harm”

Even though the on-chain theft evidence is small today, the incident is dangerous for several reasons: (1) the attacker could have pushed a far more destructive payload (ransomware, backdoors, credential stealers), (2) many compromised versions may already be cached or embedded in running systems and CI artifacts, and (3) the attack highlights how simple social-engineering (phishing) can cascade into ecosystem-scale risk. Past npm supply-chain incidents (and recent research) show adversaries reuse these techniques to scale over time, so the community treats this as a wake-up call rather than a near-miss.

Conclusion

This episode illustrates a painful lesson: software-supply-chain security is no longer an abstract best practice — it's a frontline defense for both developer infrastructure and on-chain money. That attackers could weaponize tiny utility packages affecting billions of downloads, but yet (so far) take almost no funds, underscores both the fragility and resilience of modern ecosystems: a narrow window of danger — and a huge window for remediation. The priority now is fast, coordinated cleanup from maintainers and registries, thorough audits by projects that consume these libraries, and renewed emphasis on developer account hygiene (phishing resistance, token management and 2FA) across the open-source ecosystem.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of BitKan. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. BitKan shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. Products mentioned in this article may not be available in your region.

Related News

  • Senate Test for Clarity Act Could Spark Crypto Market Volatility

    Senate Test for Clarity Act Could Spark Crypto Market Volatility

    As the U.S. Senate approaches a critical vote on the Digital Asset Market Clarity Act, investment bank Jefferies has cautioned investors that the legislative process will likely trigger heightened volatility across crypto markets.
    Jerry McNeill
    Jul 1, 2026
  • Pharos Reveals PROS Token Supply Model With Zero Initial Inflation

    Pharos Reveals PROS Token Supply Model With Zero Initial Inflation

    Pharos has unveiled the economic model for its PROS token, setting a fixed initial supply of 1 billion tokens and introducing a phased inflation schedule that begins at zero.
    Christopher Smith
    Apr 21, 2026
  • Polymarket Launches Full-Stack Hiring Push Across Key Teams

    Polymarket Launches Full-Stack Hiring Push Across Key Teams

    Polymarket is accelerating hiring across design, engineering, legal, and business roles to support rapid expansion.
    Cornell Rachel
    Apr 16, 2026

Latest News

Industry

Cryptocurrency

Airdrop

Markets

  • New SEC Crypto Rule to Cut Red Tape for Startup Fundraising

    New SEC Crypto Rule to Cut Red Tape for Startup Fundraising

    The U.S. Securities and Exchange Commission plans to introduce a major regulatory framework this month to simplify capital formation and reduce operational hurdles for cryptocurrency businesses.
    Martha Grizzard
    Jul 8, 2026
  • White House Admits Federal Bitcoin Fund is Still Delayed

    White House Admits Federal Bitcoin Fund is Still Delayed

    The establishment of the Strategic Bitcoin Reserve has run into severe internal friction regarding which cabinet-level agency holds authority over the asset.
    Martha Grizzard
    Jul 7, 2026
  • Senate Test for Clarity Act Could Spark Crypto Market Volatility

    Senate Test for Clarity Act Could Spark Crypto Market Volatility

    As the U.S. Senate approaches a critical vote on the Digital Asset Market Clarity Act, investment bank Jefferies has cautioned investors that the legislative process will likely trigger heightened volatility across crypto markets.
    Jerry McNeill
    Jul 1, 2026
  • SBI’s $289M Bitbank Deal Signals Japan Crypto Consolidation

    SBI’s $289M Bitbank Deal Signals Japan Crypto Consolidation

    SBI Holdings has solidified its domestic dominance by agreeing to acquire all shares of Bitbank in a transaction valued at ¥46.7 billion ($289 million), according to the company’s official disclosure.
    Cornell Rachel
    Jun 29, 2026
  • Invesco Files for Tokenized Fund to Back Stablecoin Reserves

    Invesco Files for Tokenized Fund to Back Stablecoin Reserves

    Invesco has officially filed with the U.S. Securities and Exchange Commission (SEC) to launch the Invesco Stablecoin Reserves Onchain Fund, a new vehicle designed to offer stablecoin issuers a compliant way to manage their collateral.
    Martha Grizzard
    Jun 26, 2026
View more data 

Content

BTCBTC(BTC)
$0
--(Last 24h)
SpotFutures

Top

View more
  1. 1S&P 500 Reclaims 200-Day Moving Average, Bitcoin Gains
  2. 2Trump Softens His Stance on Reciprocal Tariffs, US Stocks and Crypto Markets Rise
  3. 3Vitalik Buterin : The current price of ETH has not been affected by the merger event
  4. 4Vibhu Norby : Solana Spaces store to bring 100K people to Solana per month
  5. 5CZ: compared with the record high nine months ago, the current situation of the industry is much better

Top Gainers

View more
DODO
DODODODO

$0.0228

+40.62%
eCash
eCashXEC

$0.00000675

+30.56%
Janction
JanctionJCT

$0.004259

+29.10%
Billions Network
Billions NetworkBILL

$0.0586

+26.05%
Collector Crypt
Collector CryptCARDS

$0.1765

+24.02%

Top Trending

View more
Semicon Bull 3X ETF
Semicon Bull 3X ETFSOXL

$175.340

-9.83%
DODO
DODODODO

$0.0228

+40.62%
Sandisk
SandiskSNDK

$1,760.27

-9.86%
Ethereum
EthereumETH

$1,782.75

-1.92%
Bitcoin
BitcoinBTC

$62,794.01

-2.19%

Recently added

View more
SK Hynix
SK HynixSKHYB

$157.950

+1.65%
Cash Cat
Cash CatCASHCAT

$0.1508

-12.96%
Cerebras
CerebrasCBRSB

$210.490

-1.17%
Invesco QQQ Trust
Invesco QQQ TrustQQQB

$718.090

-1.33%
Palantir
PalantirPLTRB

$130.220

+2.97%

Learn

View more
  1. 1What Is Cross-Chain Interoperability? How Does It Function?
  2. 2What is OUSD? How Does Open USD Work for Digital Payments?
  3. 3What Are Keyloggers? How Do They Drain Your Crypto?
  4. 4What is Maximal Extractable Value in crypto? How Do We Avoid MEV?
  5. 5Crypto Trading Bots: What Are They and How Do They Work?
About Us
  • About BitKan
  • Contact Us
  • Announcements
  • VIP Program
  • BitKan Ambassador
  • Institutional Services
Products
  • Spot
  • Futures
  • Crypto Prices
  • Learn
  • News
  • Markets
  • How to Buy Crypto
  • BTC to USD Calculator
  • Reward
Help
  • Help Center
  • Email Us
  • Live Chat
  • Download APP
  • Listing Application
  • Buy Bitcoin
  • Buy Ethereum
  • Buy Dogecoin
  • Buy Altcoins
Terms
  • Terms of Use
  • Privacy Policy
  • Trading Rules
  • Fee
K-Site
English
About Us
+
  • About BitKan
  • Contact Us
  • Announcements
  • VIP Program
  • BitKan Ambassador
  • Institutional Services
Products
+
  • Spot
  • Futures
  • Crypto Prices
  • Learn
  • News
  • Markets
  • How to Buy Crypto
  • BTC to USD Calculator
  • Reward
Help
+
  • Help Center
  • Email Us
  • Live Chat
  • Download APP
  • Listing Application
  • Buy Bitcoin
  • Buy Ethereum
  • Buy Dogecoin
  • Buy Altcoins
Terms
+
  • Terms of Use
  • Privacy Policy
  • Trading Rules
  • Fee
K-Site
+
  • Twitter
  • Facebook
  • Telegram
  • YouTube
  • Instagram
  • Medium
  • Linkedin
@2012-2026 BITKAN.com