Concern Over Compromised JavaScript Packages in Crypto Community

Crypto user Swass might face risks of fund theft after the identification of compromised JavaScript packages, according to a warning from Ledger’s CTO, Charles Guillemet, on Monday.

NPM, a prominent package manager for JavaScript, was highlighted by Guillemet, who noted that the breach could jeopardize the entire programming ecosystem if accounts of trusted developers are hacked, potentially allowing harmful code to spread across various platforms.

“Malicious payloads can silently change crypto addresses to siphon off funds,” he explained. He also pointed out that the affected package has been downloaded more than a billion times, indicating that “virtually every blockchain” could potentially face exploitation.

A massive supply chain attack is happening. Accounts of reputable developers on NPM have been compromised. The impacted packages have been downloaded over a billion times, which puts the whole JavaScript ecosystem at risk. Malicious payloads work… – Charles Guillemet

Software developer Cygaar urged caution, stating, “We strongly recommend against signing any crypto transactions at the moment.” He emphasized that “various cryptographic websites” might be at risk as well.

A blockchain security firm also pointed out that around two dozen popular packages, including “color names” and “color strings,” have been affected. NPM hosts a collection of reusable code that developers can utilize in their projects.

“We reroute transaction approvals to the attacker’s address instead of the intended recipient’s,” explained Cygaar.

While NPM has reportedly disabled the compromised packages, Cygaar suggested that developers should still verify their dependencies, as some may have downloaded the harmful package prior to the fix.

The situation, according to Guillemet, involves ongoing collaboration with the NPM security team to mitigate the issue, and most of the malicious code has been taken off the affected sites.

He noted the compromised accounts, branded “Qix,” have disrupted fundamental JavaScript utilities used by numerous projects.

Unfortunately, malicious payloads can alter cryptocurrency addresses, necessitating user approval for transactions, leaving a window for users to recognize potentially erroneous fund transfers.

This highlights the ongoing vulnerabilities in the crypto sector, as indicated by COO Mary Gooneratne. She mentioned that the crypto industry seems to remain susceptible to dependencies from Web2 as well as other open-source software.

Although the compromised package was active for only a short time, it still presents a concerning scenario. “It’s pretty alarming,” she remarked, suggesting this incident serves as a learning opportunity for everyone involved.

Gooneratne confirmed that Solana’s lending protocol, Loopscale, has not been affected, and the independent wallet, Phantom, announced that it was also unaffected by the attack.

We strongly advise against signing any crypto transactions right now. There’s a significant supply chain attack on popular NPM packages which may have impacted several crypto websites. Transaction destination addresses have been altered… – Cygaar

On GitHub, users linked to the compromised NPM accounts indicated they had reached out to NPM, which is currently working on removing the harmful package. They noted they were victims of attempts to reset two-factor authentication.

“Yes, I’ve been compromised,” one user admitted frankly. “I’m so sorry, this is quite embarrassing.”

I reached out to NPM for comments but didn’t hear back right away.

Editor’s Note: This article is ongoing and will be updated with additional context.