These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads. They're the kind of packages that get included in almost every JavaScript project without developers even realizing it.
Hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as "Qix," through a phishing campaign that targeted npm maintainers with emails impersonating the platform's support team.
These aren't flashy frameworks - they're the invisible building blocks that millions of websites and applications depend on, which is exactly what made this attack so devastating.
Something about this story is strange: So a NPM library has been downloaded a billion times is suddenly discovered to have BTC address-swapping code?
The only way I can see that as plausible is if some major exchange: Binance / Coinbase, etc is using said NPM library. What other "wallets" could account for a billion downloads?
I've checked about 10 of the 'bc1' bitcoin ones and don't see any transactions.
I've also checked some of the eth ones on etherscan and don't see any meaningful activity on those....(a few .000015 transactions, that may be test from original malware developer, but nothing significant).
So what does this mean? A billion downloads and no transactions?
The code first checks for the existence of window.ethereum, an object injected by wallet extensions like MetaMask. If no wallet is found, it proceeds with a passive attack.
Hmm...yes I forgot about MetaMask....thats probably the intended target.
Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
I assume they meant package.json and this only happens when you run npm install, not npm ci?
Isn't my package-lock.json specifying exactly which version of dependencies to install for npm ci?
The Compromised Packages (with weekly download numbers):
What These Packages Do
The Scale
How the Attack Happened
npm install
, notnpm ci
?npm ci
?