Tag:

NPM

Virus symbol, computer protection, cyber attack, antivirus, digital worm and bug icon. Futuristic abstract concept 3d rendering illustration.
Gaming Gear

A terrifying, self-replicating malwaere has infected npm packages with over 2 million downloads per week – here’s how to stay safe

by admin



  • A new supply-chain attack compromised at least 187 npm packages, targeting developer secrets across software projects
  • Shai-Hulud worm looks to steal credentials, modify packages, and spread malware through GitHub Actions and npm tokens
  • Researchers warn the number of compromised packages is likely to grow

At least 187 malicious npm packages have been uncovered, part of a yet another major supply-chain attack against software developers.

Security researchers from Socket, StepSecurity, and Aikido all detected an ongoing campaign, apparently being orchestrated by the same group that targeted Nx several weeks ago.

Similar to that campaign, in this one the miscreants were also after developer secrets, including login credentials, AWS keys, GCP and Azure service credentials, GitHub personal access tokens, cloud metadata endpoints, or npm authentication tokens.


You may like

Many affected

However, the attack methodology evolved, the researchers noted.

“The scale, scope and impact of this attack is significant,” they explained. “The attackers are using the same playbook in large parts as the original attack, but have stepped up their game.”

This time around, the attackers created a worm, called Shai-Hulud (a nod to the Dune worm), which not only steals secrets and publishes them to GitHub publicly (using tools like TruffleHog and queries on cloud metadata endpoints), but also drops a malicious GitHub Action that sends secrets to an attacker-controlled webhook and hides them in logs, and uses stolen npm tokens to modify and republish every package the maintainer controls, embedding the worm in each one.

Among the compromised npm packages are those from cybersecurity experts CrowdStrike, as well as others with millions of weekly downloads.

CrowdStrike, on its end, did what it could to mitigate the risk and minimize the damage.

“After detecting several malicious Node Package Manager (NPM) packages in the public NPM registry, a third-party open source repository, we swiftly removed them and proactively rotated our keys in public registries,” a CrowdStrike spokesperson said, The Register reports.

“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected. We are working with NPM and conducting a thorough investigation.”

At the moment the number of packages affected by the attack sits at 187, the researchers warned that the number will most likely continue to rise. Some potentially compromised packages are currently pending validation.

Via The Register

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
NPM Hack in Crypto: Polygon, Ledger, Trezor Share Important Statements
GameFi Guides

NPM Hack in Crypto: Polygon, Ledger, Trezor Share Important Statements

by admin


  • Polygon, Ledger, Trezor break silence on yesterday’s NPM hack
  • Largest JavaScript NPM hack: What you should know

So far, no cryptocurrency service has reported losses as a result of clipper malware being injected into NPM packages, inevitable instruments for JavaScript developers. At the same time, cryptocurrency users should stay particularly vigilant these days.

Polygon, Ledger, Trezor break silence on yesterday’s NPM hack

According to official statements by cryptocurrency teams, more and more services have confirmed that their tech architectures are unaffected by the Sept. 8 NPM attack, the biggest hack in the history of JavaScript.

Polygon (POL), the largest layer-2 blockchain on Ethereum Virtual Machine, assured readers that both Polygon Proof-of-Stake and Agglayer are unaffected by the collapse.

Most importantly, similar statements have been released by the cryptocurrency wallet’s team. Hardware wallet producer Ledger, whose CTO Charles Guillemet informed the crypto space about the hack, stressed that all funds are safe.

Ledger devices are not and have not been at risk during an ecosystem-wide software supply chain attack that was discovered. Ledger devices are built specifically to protect users against attacks like these.

Trezor, another top-tier provider of hardware cryptocurrency wallets, outlined that at no stage were the gadgets exposed to the attackers.

Trezor Suite, an app necessary to connect Trezor wallets to computers, is also safe, the statement says.

Largest JavaScript NPM hack: What you should know

Yesterday, on Sept. 8, 2025, the account of a reputable JavaScript software developer was hacked. The malefactors uploaded tampered NPM packages — elements of JS code — infiltrated with the malware targeting crypto on all major blockchains.

Altered NPM packages might be downloaded billions of times as JS is one of the dominant programming languages right now.

Clipper malware replaces the address a victim sends crypto to with the address of the hacker. As a result, the user sends money to the attacker without knowing it.

All crypto users should be super cautious these days while sending funds on-chain and when signing approvals via Web3 wallets.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Ledger Cto Warns Users Amid Massive Npm Supply Chain Attack
GameFi Guides

Ledger CTO Warns Users Amid Massive NPM Supply Chain Attack

by admin



Ledger’s Chief Technology Officer, Charles Guillemet, issued a strong warning on Monday, urging some users to temporarily stop on-chain transactions. The alert comes after a massive supply chain attack compromised a trusted developer’s NPM account, affecting packages that have been downloaded over 1 billion times.

“There’s a large-scale supply chain attack in progress,” Guillemet said in a post on X. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now.”

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

How the Attack Works

Supply chain attacks target the software distribution process, not individual users. Here, hackers acquired the NPM account of a developer ‘qix’.

They allegedly inserted malicious code, which replaces cryptocurrency addresses automatically, deceiving users to send money to the attacker, rather than the receiver. This method is similar to tactics used by North Korean hackers to steal $1.5 billion from the crypto exchange Bybit earlier this year.

Crypto developers quickly noticed the attack. @0x_ultra shared that packages like Chalk, with over 2 billion weekly downloads, were compromised and could steal private keys.

The impacted developer verified the attack, saying that phishing emails that pretended to be NPM threatened to lock accounts of maintainers to tempt them to visit rogue websites. However, at the time of reporting, the attacker only managed to steal $498.

What Users Should Do

The compromised packages were reportedly patched around 15:15 UTC. However, websites and apps that updated dependencies recently might still be at risk. 

Further, Uniswap, Metamask, Ledger, OKX Wallet, Sui, Aave and Morpho have stated that they were “not affected” by the NPM supply chain attack.

Guillemet also reassured users that those using hardware wallets with clear signing are safe. Developers are encouraged to verify all the dependencies and make sure that they are not using the compromised versions.

This attack is being described as possibly the biggest supply chain attack in history, and it is a reminder of the increasing risks in the software ecosystem and the role of security in crypto transactions.

Also Read: SwissBorg Crypto Platform Loses $41M Solana in Major Security Breach





Source link

0 comments
0 FacebookTwitterPinterestEmail
DOGE (Virginia Marinova/Unsplash)
GameFi Guides

Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads

by admin



Charles Guillemet, chief technology officer at hardware wallet maker Ledger, warned on X on Monday that a large-scale supply chain attack is underway after the compromise of a reputable developer’s Node Package Manager (NPM) account.

According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto wallet addresses in transactions. That means unsuspecting users could send funds directly to the attacker without realizing it.

Guillemet did not name the developer whose account he said was compromised.

The incident underscores how deeply interconnected open-source software is and why security lapses in developer tools can ripple into the crypto economy almost instantly.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

“NPM is a tool commonly used in software development using JavaScript, which makes integrating packages easy for developers,” said Guillemet in a message to CoinDesk. When an attacker compromises a developer’s account, they can slip malicious code into widely used packages.

“The malicious code attempts to drain users by swapping addresses used in transaction or general on-chain activity and replacing them with the hacker’s address,” Guillemet added.

Guillemet stressed that if any decentralized application or software wallet across any blockchain includes these JavaScript packages, then they could be compromised, and crypto users could therefore lose their funds.

“The only sure way to combat this is to use a hardware wallet with a secure screen that supports Clear Signing,” said Guillemet to CoinDesk. “This will allow the user to see exactly which addresses funds are being sent to and ensure they match the intended addresses.”

“Hardware wallets without secure screens and any wallet that doesn’t support Clear signing is at high risk as it is impossible to accurately verify the transaction details are correct,” he added.

“It’s an opportunity to remind everyone: always verify your transactions, never blind sign, use a hardware wallet with a secure screen, and Clear Sign everything,” Guillemet said.

Read more: Ledger CTO Addresses Criticism of New Wallet Recovery Service





Source link

0 comments
0 FacebookTwitterPinterestEmail
Close