A major NPM attack struck the crypto industry after hackers accessed the account of a well-known software developer. They added malware into popular JavaScript libraries downloaded over 1 billion times, raising concerns across crypto projects.
The Security Alliance (SEAL) reported the incident on Monday. According to SEAL, attackers inserted a crypto-clipper into NPM packages. This type of malware changes wallet addresses in transactions, allowing funds to be diverted without notice.
The malware specifically targeted Ethereum wallets and Solana wallets, SEAL confirmed. The affected NPM packages included chalk, strip-ansi, and color-convert. These small utilities often appear deep in dependency trees, meaning even developers who never installed them directly could still be exposed.
Stolen Crypto From NPM Attack Totals Less Than $50
Despite the scale of the NPM hack, the total stolen amounted to less than $50 in cryptocurrency. SEAL identified Ethereum wallet 0xFc4a48 as the main malicious address linked to the attack.
Earlier reports showed just five cents stolen, but the amount later rose to nearly $50, suggesting the attack was still in progress. SEAL wrote on X:
“Picture this: you compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.”
Etherscan data showed the compromised wallet received Ether (ETH) and several memecoins, including Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).
Ethereum and Memecoin Losses From NPM Hack
The NPM malware attack stole around $20 worth of memecoins and a small amount of Ether, SEAL confirmed. The findings highlighted that although losses were limited, exposure risks remained significant.
Ledger’s Chief Technology Officer Charles Guillemet urged users to double-check wallet addresses during transactions. In a separate statement, Ledger confirmed that its hardware wallets were not affected by the NPM attack.
The founder of DeFiLlama, 0xngmi, added that only projects updating their code after the infected packages were published might be at risk. Even then, users would need to approve malicious transactions before funds were compromised.
Supply Chain Risk in NPM Crypto Attack
NPM, often described as a central code library for JavaScript developers, acts as a core hub for sharing packages. Because of its wide use, the NPM breach spread through hidden dependencies across multiple crypto projects.
The packages affected—chalk, strip-ansi, and color-convert—are widely used in countless platforms. Developers relying on these libraries may have unknowingly integrated compromised code into their systems.
While the total losses from the NPM crypto attack stayed under $50, the incident revealed how dependency attacks can reach thousands of developers and crypto applications at once. SEAL and other security researchers continue monitoring the malicious address and infected packages.
