A large-scale attack on the JavaScript ecosystem
On September 8, 2025, the crypto community was shaken by one of the biggest supply-chain attacks in recent years. Hackers compromised the account of a well-known developer under the nickname qix and injected malicious code into 18 npm libraries, including widely used packages like:
- chalk
- debug
- ansi-styles
- strip-ansi
For context: these libraries are downloaded over 2.6 billion times per week. That means almost any web application or service built with JavaScript could have been affected.
How the malicious code worked
The attackers added a crypto-clipper — a script designed to swap wallet addresses right at the moment of a transaction.
Here’s how it worked:
- If no wallet was connected, the malware silently replaced the recipient’s address inside the dApp code.
- If a browser wallet was used (like MetaMask), the address was altered in the app’s memory before signing. The user saw the “correct” address, but funds were actually sent to the attacker’s wallet.
This is why security experts immediately advised users to pause transactions on MetaMask and Trust Wallet until the ecosystem is fully secured.
Who raised the alarm
Warnings came quickly from industry leaders:
- Charles Guillemet, CTO of Ledger, highlighted the scale of the attack and urged caution when signing any transactions.
Discussions on Reddit reflected the same concern:
“Better to halt all on-chain activity through software wallets for now. Hardware wallets have the advantage of showing the final destination address on their own screen, independent of what the browser displays.”
The consensus was clear: hardware wallet users currently have the strongest protection.
Losses under $50 — but a major wake-up call
Ironically, despite the huge scope, the financial damage was minimal — less than $50 stolen. The reasons:
- npm maintainers and security teams reacted within hours.
- Malicious packages were removed just 2.5 hours after the breach began.
- Companies like Vercel flushed their caches and alerted customers almost immediately.
But the real takeaway isn’t the dollar amount — it’s that a vulnerability this deep could have drained funds from virtually anyone.
What MetaMask and Trust Wallet users should do
Experts recommend the following steps:
- 🔒 Pause activity
Avoid on-chain transactions via MetaMask or Trust Wallet until npm dependencies are fully updated. - 🛡 Switch to hardware wallets
Devices like Ledger and Trezor display the final recipient address on-screen, making address-swapping attacks impossible. - ✅ Send test transactions
If you absolutely must move funds, send a small test transfer first to confirm the address. - 📌 Pin dependencies
For developers: lock dependency versions (pin dependencies) to prevent accidentally pulling malicious updates.
Is the bug fully fixed?
For now — yes. The malicious versions were removed, flagged as unsafe, and detection rules were released. However:
- Compromised versions may still linger in caches.
- Projects that hard-pinned older revisions could remain at risk.
That’s why the advice to avoid MetaMask and Trust Wallet is still relevant — especially for beginners.
Conclusion
The npm supply-chain breach proved that even the most basic development tools can become a weak link in the crypto ecosystem. While the stolen funds were negligible, the risk was massive. The incident is a sharp reminder: wallet security depends not only on the blockchain itself but also on the underlying software that interacts with it. For now, experts urge caution with MetaMask and Trust Wallet, while the safest move is to reduce activity and rely on hardware wallets until the dust fully settles.
