A phishing attack on a Node.js developer led to malicious code in npm packages, targeting Ethereum and Solana wallets and impacting over 2 billion weekly downloads.

Executive Summary

Attackers compromised widely-used npm packages through a phishing attack, injecting malicious code designed to steal cryptocurrency. The attack, discovered on September 8, 2025, targeted Ethereum and Solana wallets by intercepting and redirecting transactions. While the immediate financial gain for the attacker was minimal, the incident exposed critical vulnerabilities in the software supply chain and raised concerns about the security of the Web3 ecosystem.

The Event in Detail

A highly regarded open-source developer, Josh Junon (aka qix), was compromised via a phishing email that spoofed npmjs.help. The attacker gained control of Junon's npm account and injected malicious code into 18 packages, including popular libraries like chalk, debug, and ansi-styles, affecting over 2 billion weekly downloads. The malicious code targeted cryptocurrency transactions, specifically monitoring for Ethereum, Solana, Bitcoin, Tron, Litecoin, and Bitcoin Cash wallet addresses in network traffic. The code rewrites transaction targets, substituting legitimate addresses with attacker-controlled ones, and alters unsigned transactions, modifying recipients and amounts before the user signs them.

Market Implications

The attack highlights the vulnerability of the Web3 ecosystem to supply chain compromises. Despite Binance's statement that no user data or assets were compromised, the incident raises broader concerns about the security of open-source software and the potential for large-scale attacks targeting cryptocurrency users. The incident may lead to increased scrutiny of software dependencies and a push for stricter security measures within the Node.js ecosystem. Security teams face significant costs to update systems.

Expert Commentary

"Even open-source software is not safe these days. Web3 will redefine security for Web2," stated Changpeng Zhao (CZ), co-founder of Binance, on the social platform X.

Charles Guillemet, chief technology officer at hardware wallet maker Ledger, noted that the malicious code had propagated into packages with over one billion downloads.

Broader Context

The attack underscores the importance of robust security measures within the software supply chain. Recommendations to mitigate similar attacks include: regularly auditing npm dependencies, using package-lock.json to ensure consistent dependency versions, verifying package publishers, and monitoring for unexpected package updates. The incident reflects a growing trend of cybercriminals targeting cryptocurrency infrastructure through sophisticated phishing campaigns and supply chain attacks. As noted by security researchers, nearly every major attack in 2025 targeted cryptocurrency infrastructure, with phishing campaigns proving more effective than zero-day exploits.