Over 70 Malicious npm Packages Target Crypto Developers in Coordinated Supply Chain Attack

On May 26, 2025, security researchers uncovered a sprawling campaign of over 70 malicious packages targeting the npm registry and Visual Studio Code marketplace, collectively designed to steal sensitive developer data and cryptocurrency credentials. The discovery, detailed by Socket security researchers, revealed two distinct attack campaigns operating simultaneously — one focused on stealthy data harvesting and another on outright destruction of development environments. With Bitcoin hovering near $109,400 and the broader crypto ecosystem increasingly dependent on open-source tooling, these supply chain attacks represent a growing threat to the integrity of blockchain and Web3 development workflows.

The Threat Landscape

The first campaign involved 60 malicious npm packages published across three different accounts — bbbb335656, cdsfdfafd1232436437, and sdsds656565 — each deploying 20 packages within an 11-day window. These packages were downloaded more than 3,000 times before detection. Their install-time scripts targeted Windows, macOS, and Linux systems, harvesting hostnames, IP addresses, DNS servers, network interface card information, and user directories, then transmitting everything to Discord-controlled endpoints. The scripts included basic sandbox-evasion checks to avoid detection in virtualized environments associated with Amazon, Google, and other cloud providers.

The second campaign was even more aggressive. Eight npm packages masquerading as helper libraries for popular JavaScript frameworks — React, Vue.js, Vite, Node.js, and the Quill Editor — carried destructive payloads designed to corrupt data, delete critical files, and crash systems. These packages were downloaded more than 6,200 times and included names like vite-plugin-vue-extend, quill-image-downloader, js-hood, and js-bomb. Some executed recursive file deletion targeting Vue.js, React, and Vite project files, while others corrupted fundamental JavaScript methods or tampered with browser storage mechanisms including localStorage, sessionStorage, and cookies.

Core Principles

Supply chain security in the crypto development ecosystem rests on three fundamental principles. First, never trust package popularity as a proxy for safety — the malicious packages in these campaigns accumulated thousands of downloads before detection. Second, always verify the provenance of dependencies, especially those that execute code during installation. Third, implement automated scanning at every stage of the development pipeline, from local development through continuous integration and deployment.

The campaigns highlight a particularly insidious tactic: the dual approach of publishing both harmful and helpful packages under the same account. Security researcher Kush Pandya noted that the threat actor behind the destructive packages, identified as xuxingfeng, also published five legitimate, non-malicious packages. This strategy creates a facade of legitimacy that makes malicious packages more likely to be trusted and installed by unsuspecting developers.

Tooling and Setup

Protecting crypto development environments from supply chain attacks requires a layered defense strategy. At the package level, tools like Socket provide real-time monitoring of npm dependencies, flagging packages with install-time scripts, unusual network activity, or suspicious author patterns. Developers should configure package.json to use exact version numbers rather than ranges and enable npm audit in continuous integration pipelines.

At the network level, organizations should implement egress filtering to detect unexpected outbound connections — such as data being sent to Discord webhooks during npm install. Runtime application self-protection tools can identify when JavaScript methods are being tampered with or when file system operations exceed expected parameters. For crypto projects specifically, hardware security modules and air-gapped signing environments provide an additional layer of protection against credential theft through compromised development tools.

Ongoing Vigilance

The crypto industry’s reliance on open-source tooling makes it particularly vulnerable to supply chain attacks. Smart contract development frameworks, wallet libraries, and DeFi protocol SDKs all depend on hundreds of transitive dependencies, any one of which could be compromised. The Cetus Protocol exploit on May 22, 2025, which resulted in a $260 million loss, demonstrated how a vulnerability in a shared library — the integer-mate math package in the Move programming language — can cascade across an entire ecosystem.

Security researcher Kirill Boychenko from Socket emphasized that by harvesting internal and external IP addresses, DNS servers, usernames, and project paths, these campaigns enable threat actors to chart networks and identify high-value targets for future operations. The reconnaissance data gathered from compromised development machines could be used to plan more targeted attacks against crypto organizations.

Final Takeaway

The discovery of over 70 malicious packages targeting the JavaScript ecosystem on May 26, 2025, underscores the critical importance of supply chain security for crypto developers. Every dependency is a potential attack vector, and the sophistication of these campaigns — combining stealthy data harvesting with destructive payloads under a veneer of legitimacy — demands constant vigilance. As the DeFi ecosystem processes hundreds of billions of dollars in value, the security of the development toolchain that builds these protocols deserves the same scrutiny as the smart contracts themselves.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always verify the security of your development dependencies before use.