Image by Kanchanara, from Unsplash
Crypto Users At Risk After Hackers Exploit NPM JavaScript Libraries
Reading time: 2 min
Last Updated: Sep 9, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Hackers hijacked popular NPM packages by injecting them with malicious code, stealing cryptocurrency funds from billions of users who downloaded the affected packages.
In a rush? Here are the quick facts:
- Popular libraries affected include chalk, strip-ansi, debug, and color-convert.
- Malware hijacks cryptocurrency transactions by replacing wallet addresses in browsers.
- Only users updating packages during the attack window are at high risk.
The Node Package Manager (NPM) ecosystem suffered its biggest supply chain attack to date, as first reported by Bleeping Computer (BC). Hackers embedded malware into popular JavaScript libraries, which users download billions of times each week..
The attackers used fake NPM support emails to send package maintainers false alerts, prompting them to update their two-factor authentication.
Josh Junon (qix), a targeted maintainer, confirmed the phishing attack, stating it came from a fake domain, ‘npmjs[.]help.’ Attackers introduced harmful code into three widely used packages, which together receive more than 2.6 billion weekly downloads: chalk, strip-ansi, and debug.
CoinTelegraph explains that the malware acts as a crypto-clipper, monitoring web browser transactions for cryptocurrency addresses and replacing them with attacker-controlled addresses.
“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations,” explained Charlie Eriksen from Aikido Security, as reported by BC.
He added, “What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”
CoinTelegraph notes that the attack specifically targets users who installed or updated compromised packages through web-based applications. Developers using pinned older versions remain protected, but software wallet users who rely on one latest software wallets face the greatest danger.
Hardware wallets requiring manual transaction verification offer the strongest security protection.
BC says that NPM has removed some malicious versions, including the debug package, downloaded 357.6 million times per week. Security experts advise users to handle cryptocurrency transactions with care until all affected packages complete their full security update.
Previous Story
Latest articles 
