September 2025 NPM Supply Chain Breach Drains Crypto Wallets Via Address Swap Malware

The JavaScript ecosystem suffered one of its most devastating supply chain attacks in September 2025, as threat actors compromised at least 27 NPM packages through a sophisticated phishing campaign, injecting cryptocurrency-stealing malware that targeted wallets across six blockchains. The breach, first detected on September 8, sent shockwaves through the developer community as the full scope of the attack became clear over the following days.

The Exploit Mechanics

The attack began with a meticulously crafted phishing campaign. Attackers registered the domain npmjs.help on September 4, 2025, creating a near-perfect impersonation of NPM’s official infrastructure. Phishing emails were dispatched to multiple high-profile package maintainers on September 8, claiming urgent two-factor authentication updates were required by September 10.

Josh Junon, a maintainer of critical JavaScript infrastructure packages, recounted the attack vector: the email appeared to come from [email protected] and looked legitimate at first glance. Operating on mobile during a stressful morning, the maintainer clicked the phishing link rather than navigating directly to the NPM website.

Once inside, the attackers published malicious versions of the compromised packages. The injected malware demonstrated advanced obfuscation techniques using hexadecimal encoding and complex function structures. The code operated exclusively in browser environments, targeting cryptocurrency transactions through three primary mechanisms: API hooking that intercepted window.ethereum, fetch, and XMLHttpRequest calls; address replacement using Levenshtein distance algorithms to generate visually similar wallet addresses; and multi-chain support targeting Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. The malware maintained over 280 hardcoded attacker addresses for redundancy.

Affected Systems

The scale of the compromise was staggering. At least 27 packages were confirmed compromised, affecting billions of weekly downloads across the JavaScript ecosystem. The affected packages included widely-used libraries such as chalk, ansi-regex, supports-color, strip-ansi, debug, duckdb, and prebid.js.

Fifteen packages required upgrades to newly published fixed versions, while twelve packages needed to be reverted to previous safe versions. The browser-only execution of the malware meant server-side Node.js applications were not directly affected, though the potential for future server-targeting variants remains a critical concern for infrastructure teams.

With Bitcoin trading at approximately $115,500 and Ethereum near $4,460 on September 11, the financial stakes of any successful wallet compromise were substantial. Even a small percentage of users executing transactions through compromised browsers could result in millions of dollars in stolen funds.

The Mitigation Strategy

NPM’s security team began removing malicious packages immediately upon detection, with the initial wave of compromised versions unpublished from the registry within hours. The incident response escalated through September 9 to 11, as security researchers continued discovering additional affected libraries. CVE assignments began for the most critical packages, and maintainers worked around the clock to regain control and publish fixes.

Organizations were advised to take immediate action: identify all affected packages using vulnerability scanning tools, update the fifteen packages with available fixes or revert the twelve packages to their last known safe versions, clear all NPM caches with npm cache clean --force, and verify package integrity against known-good checksums.

Lessons Learned

This attack underscores several critical vulnerabilities in the open-source software supply chain. First, the reliance on email-based authentication for package maintainers creates a single point of failure. Second, the sheer download volume of popular packages means even brief exposure windows can affect millions of users. Third, the targeting of cryptocurrency transactions through browser-based malware represents an evolution in financially-motivated supply chain attacks.

The attack also highlights the tension between developer convenience and security. Maintainers managing dozens of packages under time pressure are precisely the targets most susceptible to well-crafted phishing campaigns. Organizations must implement automated dependency scanning and pin package versions to known-good releases rather than using floating version specifiers.

User Action Required

If you used any affected NPM packages between September 8 and September 11, 2025, immediately audit your dependency tree, update all packages to their latest patched versions, and review any cryptocurrency transactions executed during this window for signs of address tampering. Enable hardware wallet verification for all high-value transfers, and consider using dedicated browser profiles for cryptocurrency operations that exclude development tooling.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified security professionals regarding your specific infrastructure needs.