USDNPM Supply Chain Attack Exposes Billions of Downloads but Barely $503 Stolen
How a Massive Breach Unfolded Across Crypto’s Software Backbone
September 8, 2025, began with a warning from Ledger’s CTO Charles Guillemet, who took to X to alert developers and crypto users of what he described as a “large-scale supply chain attack in progress.” The breach stemmed from the compromise of the NPM account belonging to veteran developer Josh Junon, widely known by his handle “qix.” Packages under his control—responsible for more than a billion downloads—were republished with malicious code designed to hijack crypto wallet transactions.
The payload’s behavior was deceptively straightforward but highly dangerous: it scanned for wallet addresses inside Ethereum and Solana transactions and swapped them with attacker-controlled addresses in real time. Ethereum functions such as approve, transfer, and transferFrom were targeted through hooks inserted into window.ethereum, funneling transactions toward a wallet identified as 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. Solana transactions, by contrast, were disrupted with invalid recipient strings beginning with “1911,” which forced transfers to fail outright. Beyond direct wallet manipulation, the code also intercepted fetch and XMLHttpRequest calls, combing through JSON data to find wallet substrings and replace them with one of 280 hardcoded variants designed to look authentic.
The breach itself started with a phishing campaign. Attackers masqueraded as npm support staff and tricked Junon into providing his credentials, including two-factor authentication codes, through a cloned login page. Once inside, they swiftly republished compromised versions of widely used libraries such as chalk, debug, ansi-styles, and strip-ansi. These dependencies are central to much of modern JavaScript development, particularly in the web3 ecosystem where wallet interfaces and dApps rely heavily on them. The transitive nature of dependencies within the npm registry meant that a single compromised package cascaded into hundreds of downstream projects, exposing potentially billions of downloads across the software supply chain.
Despite the scale, financial damage was remarkably limited. Security Alliance analysis showed that only about $0.05 in ETH and roughly $20 worth of meme tokens made it to the attacker’s wallets. Researcher @4484 categorized the wallets associated with the incident on Arkham as part of an "NPM attack," which tracked $503.59 stolen in total. No meaningful Ethereum losses occurred. The discrepancy in totals reflects early tracking snapshots, but all assessments converged on the fact that damages were negligible. Ironically, the crude nature of the injected code helped contain the fallout: it broke continuous integration pipelines and caused transaction crashes, which drew immediate developer attention and limited the attack’s reach.
Developers and security leaders quickly cautioned users to halt on-chain activity until more was known. Guillemet stressed that hardware wallets still offered protection as long as users verified each transaction on their device screens, which prevented the invisible swapping from going unnoticed. The relatively small damage was characterized by researchers as “lucky,” since a more polished exploit could have siphoned significant funds. The crypto price index and broader coin market cap showed no disruption, underlining that markets did not panic even as headlines highlighted a billion-download exposure.
Major platforms rushed to reassure their communities. Solana-based services such as Marinade, Solflare, Step Finance, Jupiter, Drift, Phantom, and OKX confirmed no impact on their operations. Binance, which labeled the incident among the largest NPM attacks ever seen, clarified that no customer data or assets were compromised. The exchange emphasized that “security remains our top priority” and reminded users to stay vigilant, while founder Changpeng Zhao remarked, “Even open-source software is not safe these days. Web3 will redefine security for Web2.”
Other wallet providers pointed to safeguards already in place. MetaMask explained that it had avoided exposure thanks to its use of locked code versions, both manual and automated review systems, and layered defenses including LavaMoat, which isolates malicious code, and Blockaid, which quickly flags compromised addresses. These measures prevented the malicious packages from slipping into its environment.
What unfolded over the course of 24 hours now stands as both a cautionary tale and a reminder of fragility. A single developer’s compromised credentials, tricked out of him through a phishing site, were enough to ripple across the entire JavaScript ecosystem and into crypto infrastructure. While the dollar losses were almost comically small for such a sweeping breach, the episode underscores how vulnerable the crypto software stack remains. The crypto price landscape may not have registered a dent this time, but security experts warn that a more refined supply chain exploit could carry consequences far greater than what the market just narrowly avoided.
This article has been refined and enhanced by ChatGPT.
