Contact Us
blog-browser-based-crypto-stealer-in-npm-supply-chain-attack-advisory-by-sisa-sappers

Browser-Based Crypto-Stealer in NPM Supply Chain Attack – Advisory By SISA Sappers

A massive NPM supply chain attack on 18 popular JavaScript packages exposed 2.6B downloads to a browser-based crypto-stealer. Learn how the phishing-led compromise worked, its impact on Ethereum, Solana, and Bitcoin wallets, and key prevention steps.

Executive Summary

On September 8, 2025, the Node Package Manager (NPM) ecosystem was subjected to a massive supply chain attack impacting 18 popular JavaScript packages, which collectively account for over 2.6 billion weekly downloads. The incident was initiated through a sophisticated phishing campaign that compromised a high-profile package maintainer’s account. The attacker then injected malicious code—a crypto-draining malware—into new versions of these packages. The malware was designed to hijack cryptocurrency transactions within web browsers by intercepting and modifying wallet interactions for multiple blockchains, including Ethereum, Solana, and Bitcoin. The malicious packages were live on the NPM registry for approximately two hours before being detected and removed by the security community and NPM staff. This attack underscores the critical vulnerabilities of transitive dependencies and the single-point-of-failure risk associated with maintainer account security in the open-source software supply chain.

Packages Compromised

The following packages and versions were identified as compromised:

Timeline of Attack

  • 13:16 UTC : Attacker begins publishing malicious versions of the 18 packages to the NPM registry.
  • 13:21 UTC : Automated security systems at Aikido Security detect anomalous and obfuscated code in the newly published packages.
  • 14:16 UTC : Public disclosures and community alerts begin to circulate.
  • 15:20 UTC : The GitHub community independently identifies and reports the suspicious code.
  • 17:20 UTC : NPM publicly acknowledges the breach and confirms they are working on removing the malicious packages.
  • 19:59 UTC: NPM confirms to the maintainer that all impacted package versions have been removed from the registry

Attack Flow

The attack was executed in two primary stages: initial access through social engineering and the subsequent supply chain injection.

  1. Initial Access (Phishing): The attack began when a prolific package maintainer, Josh Junon (GitHub: qix), received a highly convincing phishing email impersonating NPM support. The email, sent from support@npmjs[.]help (a typosquatted domain of the legitimate support@npmjs.com), created a sense of urgency by claiming a mandatory 2FA update was required to avoid account lockout. The maintainer was directed to a credential-harvesting site hosted on a CDN.
  2. Credential & 2FA Capture: The phishing site captured the maintainer’s username, password, and time-sensitive 2FA code. This data was immediately exfiltrated to an attacker-controlled WebSocket (websocket-api2.publicvm[.]com).
  3. Account Takeover: Using the captured credentials, the attacker gained unauthorized access to the maintainer’s NPM and GitHub accounts.
  4. Malicious Code Injection: The attacker injected obfuscated, malicious code into the js files of the 18 popular packages controlled by the compromised account.
  5. Publishing Compromised Packages: The attacker published new, trojanized versions of these packages to the official NPM registry.
  6. Propagation: Developers and automated build systems worldwide began pulling these compromised packages into their projects as dependencies, unknowingly embedding the crypto-draining malware into their applications.
  7. Execution (Transaction Hijack): When an end-user interacted with an application built with a compromised package, the malware activated in their browser. It hooked into core browser functions (fetch, XMLHttpRequest) and crypto wallet APIs (ethereum) to intercept and alter outgoing cryptocurrency transactions, redirecting funds to attacker-controlled wallets just before the user’s final approval.

Technical Details

Initial Access

The attacker employed a classic phishing strategy using domain spoofing (typosquatting) and a credential harvesting website. The site’s content was delivered via the Bunny CDN service, using specific buckets to host the malicious infrastructure.

Attack Execution and Malware Functionality

The attack involved a browser-resident crypto-stealer embedded as a single obfuscated line of JavaScript appended to index.js in compromised npm packages. This ensured execution only in the end-user’s browser, leaving developer machines and servers unaffected—bypassing tools like EDR or vulnerability scanners. Multiple obfuscation layers concealed global objects (stealthProxyControl) and functions (runmask, newdlocal, checkethereumw) that managed core logic.

Dual-Mode Logic

The malware operated in two modes, determined by the presence of a Web3 wallet:

  1. Passive Address Swapping (No Wallet Detected):
    1. Hooked browser APIs (fetch, XMLHttpRequest) to inspect JSON responses.
    2. Replaced detected crypto addresses (BTC, ETH, SOL, TRX, LTC, BCH) with attacker-controlled ones.
    3. Used the Levenshtein distance algorithm to select visually similar addresses from a pool of 280 attacker wallets, making swaps hard to detect.
  2. Active Transaction Hijacking (Wallet Detected):
    1. Detected window.ethereum (e.g., MetaMask) and hooked wallet APIs (eth_sendTransaction).
    2. Intercepted and altered transaction parameters in memory, redirecting funds to the attacker’s Ethereum wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.
    3. Modified calls to ERC-20 functions via their 4-byte selectors:
      1. approve (0x095ea7b3), permit (0xd505accf), transfer (0xa9059cbb), transferFrom (0x23b872dd).
    4. This allowed not only theft of funds but also creation of unlimited token approvals for later draining.

Technical Mechanics

  • Network Interception: Wrapped fetch and XMLHttpRequest to clone/modify JSON responses and inject attacker addresses.
  • Wallet API Hooking: runmask() overwrote wallet methods (request, send, sendAsync) with wrappers that manipulated transaction data before relaying them.
  • Solana Handling: Attempted manipulation of Solana transactions by overwriting pubkey, recipient, and destination with 19111111111111111111111111111111, but this caused failures instead of theft—indicating incomplete or experimental code.

Key Characteristics

  • Client-side only: No persistence or server compromise.
  • Stealth-focused: Limited aggressive behavior to high-value targets with active wallets.
  • Operational sophistication: Careful OPSEC choices, structured code, and address similarity algorithms revealed a calculated, financially motivated adversary.

Impact Assessment

  • Scope: The attack affected 18 packages with a combined 2.6 billion weekly downloads, making it one of the largest NPM supply chain incidents by reach.
  • Target: The primary goal was financial theft through the draining of cryptocurrency from end-users of applications that included the compromised packages.
  • Direct Impact: Any developer who updated to or installed the compromised package versions during the ~2-hour window incorporated the malware into their application builds.
  • Indirect Impact: Arkham intelligence, which actively tracked the attacker’s known wallets, reported a total of approximately $1000 in stolen funds.

Image courtesy: Arkham intelligence

Arkham Intelligence aggregates and displays the total value of tokens held by an attacker across all linked addresses and blockchains. This provides a unified view of the attacker’s cross-chain asset holdings in real time.

Recommendations for Prevention

  • Strengthen Maintainer Account Security:
    • Enforce phishing-resistant Multi-Factor Authentication (MFA) (e.g., hardware security keys) for all maintainers on NPM and GitHub.
    • Monitor account activity for anomalous login patterns (e.g., unusual geolocation, device fingerprints).
  • Implement Package Signing and Verification:
    • Adopt cryptographic signing for all packages (e.g., via Sigstore) to ensure package integrity and verify the author’s identity.
    • Configure package managers to verify signatures upon installation and fail the build if a signature is invalid or missing.
  • Harden the Publishing Process:
    • Require multi-maintainer approval (multi-signature) for publishing new versions of critical packages.
    • Enforce mandatory automated code scanning and manual code reviews for changes, especially those introducing obfuscation or network functionality.
  • Secure Development Pipelines:
    • Pin dependencies to exact, vetted versions using lockfiles. Avoid using loose version ranges (^ or ~).
    • Use reproducible builds to ensure the same source code always produces the same build artifact.
    • Maintain a private or proxied NPM registry for critical dependencies to control which versions are accessible.

Indicators of Compromise (IOCs)

  • Phishing Email Sender: support@npmjs[.]help
  • IP Address: 7.81.108 (Phishing Website)
  • Malicious Domains / Buckets:
    • static-mw-host.b-cdn[.]net
    • img-data-backup.b-cdn[.]net
  • Data Exfiltration Endpoint: websocket-api2.publicvm[.]com
  • Code Identifiers:
    • Obfuscated string: _0x112fa8
    • Suspicious function names: checkethereumw, stealthProxyControl, runmask
  • Attacker Ethereum Address (for approve hijack):
    • 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976

Click here for IOC List: Suspicious Wallet Addresses

Untapped Attack Vectors

1. Weaponizing Wallets for Systemic DeFi Exploitation

The deployed malware was designed to steal funds from individual transactions. A more devastating, blockchain-native approach would have aimed to cause systemic failure in Decentralized Finance (DeFi) protocols, leading to far greater financial losses.

  • Mass “Ice Phishing” for Unlimited Approvals: Instead of just hijacking an in-progress transaction, the malware could have implemented a more advanced “ice phishing” campaign. It could have prompted users with a deceptive but seemingly benign request, such as “Verify wallet to continue,” which, when signed, would grant the attacker’s smart contract unlimited, permanent spending approval

(approve or setApprovalForAll) for the user’s most valuable tokens (e.g., WETH, USDC, USDT). This would transform the malware into a “wallet drainer,” allowing the attacker to empty the entire contents of victims’ wallets at a later time.  

A highly sophisticated attacker would recognize that the most valuable target is not the end-user, but the developer’s machine itself. By shifting the payload’s focus from a client-side clipper to a server-side credential harvester, the attacker could have gained direct control over a blockchain protocol’s core infrastructure.

  • Targeting Developer Private Keys: Many blockchain developers store high-value private keys locally for deploying and testing smart contracts on both testnets and mainnets. A payload designed as an information stealer could have systematically scanned the developer’s machine for these keys, searching for .env files, wallet storage directories, or plaintext seed phrases.

2.Targeted dApp Hijacking for Irreversible Damage

A truly sophisticated web3 threat actor would recognize that the ultimate impact isn’t just theft, but the erosion of trust in decentralized systems. Instead of a generic crypto-stealer, a more potent payload would have acted as a targeted weapon against specific, high-value Decentralized Applications (dApps).

  • Context-Aware Payload Activation: The malware could have remained dormant until it detected it was running on the front-end of a major DeFi protocol, NFT marketplace, or cross-chain bridge. By checking the location.hostname, the malware could have activated a specific attack tailored to that dApp.
  • Malicious Contract Redirection: Upon identifying a target like a major decentralized exchange, the malware would not just swap a recipient address. It would have insidiously replaced the protocol’s legitimate smart contract address in the front-end’s API calls with the address of a malicious, attacker-deployed contract. To the user, the interface would look identical, but all interactions would be routed through the attacker’s code.
  • Irreversible Asset Destruction and Lockup: The goal of this malicious contract would be maximum, permanent damage rather than simple theft.
    • NFT Burning: On an NFT marketplace, the malware could have tricked users into signing a transfer transaction that sends their high-value NFTs to the null address (0x00…), permanently destroying them.
    • Permanent Fund Locking: For a lending protocol, the malicious contract could have been a “honeypot” with no withdrawal function. Users attempting to deposit collateral would have their funds permanently and irretrievably locked in the attacker’s contract.

Additional Info:

Validation, Containment, Eradication, and Recovery of Affected Packages

Validation & Identification: Is My Environment Affected?

  1. Check Lockfiles: The most reliable method is to check your project’s lockfiles (package-lock.json, lock, pnpm-lock.yaml) for any of the compromised package versions listed above. Since many of these are transitive dependencies, they may not appear in your package.json.
  2. Scan Source Code: Use command-line tools to search your node_modules directory for unique identifiers from the malicious code.

Bash

# Search for the unique obfuscated string identifier
grep -r “_0x112fa8” ./node_modules

  1. Use Security Scanners: Run tools like npm audit, Snyk, or other Software Composition Analysis (SCA) tools, which have been updated to flag these specific malicious versions.

Containment, Eradication, and Recovery Steps for affected packages

If a compromised package is found, follow these steps immediately:

  1. Containment:
    1. Isolate Affected Systems: Take any affected build servers, CI/CD runners, or developer machines offline to prevent further propagation.
    2. Rotate Credentials: Immediately rotate all secrets, API keys, tokens, and passwords present on affected machines, as the malware’s full capabilities may not be known.
  2. Eradication:
    1. Pin to a Safe Version: In your json, explicitly set the version of the affected dependency (and its parent dependencies) to a known-good version before the attack.
    2. Clear Caches: Completely clear all local and remote caches to prevent the compromised package from being re-fetched.

Bash

npm cache clean –force

3. Delete node_modules and Lockfiles: Remove the entire node_modules directory and the existing lockfile (package-lock.json or lock).

Bash

rm -rf node_modules package-lock.json

  1. Recovery:
    1. Perform a Clean Install: Run npm install (or yarn install) to generate a new, clean lockfile and node_modules directory based on the safe versions pinned in your json.
    2. Rebuild and Redeploy: Rebuild your application from this known-good state and redeploy it to all environments.
    3. Purge CDNs: If your application is served via a CDN, purge its cache to ensure end-users receive the clean version of the code.

Detection: Actionable Insights for Future Prevention

To detect similar attacks in the future, organizations should implement a multi-layered strategy:

  • Pre-Publish/Pre-Install Scanning:
    • Integrate automated static and dynamic analysis tools into your CI/CD pipeline. Configure them to scan for:
      • High-Entropy Strings / Obfuscation: Flag packages with heavily obfuscated code, a common sign of malware.
      • Network Calls: Alert on packages that make unexpected network connections, especially during installation (via lifecycle scripts).
      • File System Access: Monitor for scripts that read sensitive files (e.g., SSH keys, environment variables).
    • Behavioral Anomaly Detection:
      • At runtime, monitor applications for anomalous behavior, such as attempts to hook into ethereum or proxy fetch and XMLHttpRequest.
      • Implement Content Security Policies (CSP) to restrict where scripts can be loaded from and what network requests they can make.
  • Dependency Monitoring:
    • Use tools that monitor for changes in package metadata, such as a change in the package maintainer or a sudden, unexplained major version jump.
    • Implement a “cooldown” period for new package releases, where new versions are held in a quarantined environment for a set time (e.g., 24-72 hours) before being used in production, allowing time for community detection of malicious activity.
  • Threat Intelligence Integration:
    • Subscribe to threat intelligence feeds specific to open-source ecosystems to receive real-time alerts about newly discovered vulnerabilities and compromised packages.

References

https://vercel.com/blog/critical-npm-supply-chain-attack-response-september-8-2025

https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html

https://www.mend.io/blog/npm-supply-chain-attack-infiltrates-popular-packages/

https://www.endorlabs.com/learn/major-supply-chain-attack-compromises-popular-npm-packages-including-chalk-and-debug

https://snyk.io/blog/npm-supply-chain-attack-via-open-source-maintainer-compromise/

https://intel.arkm.com/explorer/entity/bb347405-06a1-4268-a901-4b4e17d93bfa

https://www.coindesk.com/markets/2025/09/09/ethereum-solana-wallets-targeted-in-massive-npm-attack-but-just-5-cents-taken

https://www.mexc.com/en-GB/news/largest-npm-attack-in-crypto-history-stole-less-than-50-seal/89759

https://www.coti.news/news/over-1-billion-downloads-at-risk-in-historic-npm-hack-but-only-50-lost-so-far

https://www.ainvest.com/news/phishing-attack-hijacked-2-billion-npm-downloads-steal-crypto-2509/

Recent Blogs

SISA logo in white

SISA is a Leader in Cybersecurity Solutions for the Digital Payment Industry. As a Global Payment Forensic Investigator of the PCI Security Standards Council, we leverage forensics insights into preventive, detective, and corrective security solutions, protecting 1,000+ organizations across 40+ countries from evolving cyberthreats.

Our suite of solutions from AI-driven compliance, advanced security testing, agentic detection/ response and learner focused-training has been honored with prestigious awards, including from Financial Express, DSCI-NASSCOM and The Economic Times.

With commitment to innovation, and pioneering advancements in Quantum Security, Hardware Security, and Cybersecurity for AI, SISA is shaping the future of cybersecurity through cutting-edge forensics research.

Company

Services

Resources

Quick Links

Connect with us

Copyright © 2025 SISA. All Rights Reserved.
SISA’s Latest
close slider

Blogs

Browser-Based Crypto-Stealer in NPM Supply Chain Attack – Advisory By SISA Sappers

Event

SISA is a Gold Sponsor at the GenAI Summit Qatar

Webinar

AI Meets Assurance: HITRUST AI Security Assessment for True Security

Case Study

SISA Helps a Financial Services Major Achieve Detection Readiness with Breach and Attack Simulation

Infosec Report

Threat Report – H1 2025 by SISA Sappers

Weekly Threat Watch

Legitimate Tools Weaponized for Stealthy Access and Data Theft

Blog

Browser-Based Crypto-Stealer in NPM Supply Chain Attack – Advisory By SISA Sappers

News Room

SISA Partners with SRM University, Chennai to Create Next-Gen Cybersecurity Workforce

Whitepaper

Transitioning to Quantum Cyber Readiness: A white paper by CERT-In in collaboration with SISA

Webinar

AI Meets Assurance: HITRUST AI Security Assessment for True Security

Sign up for SISA's Daily
Threat Watch Advisory
Subscribe now!