pull down to refresh

EMERGENCY: Bitcoin Wallets Compromised! DO NOT SIGN TX Before Watching
98 sats \ 14 comments \ @Bell_curve 17h bitcoin
write
preview
related posts
1 reply \ @Bell_curve OP 17h
reply
11 sats \ 0 replies \ @nitter 17h
https://xcancel.com/P3b7_/status/1965094840959410230
reply
1 reply \ @Bell_curve OP 17h
from Claude...
Based on the research I've gathered, here are the 18 specific NPM packages that were compromised in this supply chain attack:

The Compromised Packages (with weekly download numbers):

Starting at September 8th, 13:16 UTC, these 18 very popular packages were compromised:
Highest Impact Packages:
  • ansi-styles - 371.41 million downloads/week
  • debug - 357.6 million downloads/week
  • chalk - 299.99 million downloads/week
  • strip-ansi - 261.17 million downloads/week
  • ansi-regex - 243.64 million downloads/week
  • wrap-ansi - 197.99 million downloads/week
  • color-convert - 193.5 million downloads/week
  • color-name - 191.71 million downloads/week
Medium Impact Packages:
  • is-arrayish - 73.8 million downloads/week
  • slice-ansi - 59.8 million downloads/week
  • error-ex - 47.17 million downloads/week
  • color-string - 27.48 million downloads/week
  • simple-swizzle - 26.26 million downloads/week
  • supports-hyperlinks - 19.2 million downloads/week
  • has-ansi - 12.1 million downloads/week
Lower Impact Packages:
  • chalk-template - 3.9 million downloads/week
  • supports-color - 287.1 million downloads/week
  • backslash - 0.26 million downloads/week

What These Packages Do

These are all fundamental utility packages that handle basic functions like:
  • Text coloring and formatting (chalk, ansi-styles, color-convert)
  • Debugging output (debug)
  • String manipulation (strip-ansi, wrap-ansi)
  • Error handling (error-ex)

The Scale

These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads. They're the kind of packages that get included in almost every JavaScript project without developers even realizing it.

How the Attack Happened

Hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as "Qix," through a phishing campaign that targeted npm maintainers with emails impersonating the platform's support team.
These aren't flashy frameworks - they're the invisible building blocks that millions of websites and applications depend on, which is exactly what made this attack so devastating.
reply
11 sats \ 0 replies \ @SimpleStacker 16h
How the heck does an experienced open source maintainer fall for a phishing attack?
It must have been a very sophisticated and convincing phishing attempt?!
reply
11 sats \ 7 replies \ @0xbitcoiner 17h
Ledger CTO warns users to halt onchain transactions amid massive NPM supply chain attack
reply
132 sats \ 5 replies \ @freetx 17h
Something about this story is strange: So a NPM library has been downloaded a billion times is suddenly discovered to have BTC address-swapping code?
The only way I can see that as plausible is if some major exchange: Binance / Coinbase, etc is using said NPM library. What other "wallets" could account for a billion downloads?
reply
29 sats \ 2 replies \ @0xbitcoiner 17h
Yeah, I don't get it either. Good thing I use a wallet that doesn't use npm.
reply
94 sats \ 1 reply \ @freetx 17h
So here is the gist of all the swap addresses extracted from malware. https://gist.github.com/jdstaerk/f845fbc1babad2b2c5af93916dd7e9fb
I've checked about 10 of the 'bc1' bitcoin ones and don't see any transactions.
I've also checked some of the eth ones on etherscan and don't see any meaningful activity on those....(a few .000015 transactions, that may be test from original malware developer, but nothing significant).
So what does this mean? A billion downloads and no transactions?
reply
21 sats \ 0 replies \ @0xbitcoiner 17h
Me neither. maybe folks are stepping up their game and checking the full address instead of just the beginning and end.
reply
10 sats \ 1 reply \ @Bell_curve OP 17h
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
from @evankaloudis
reply
11 sats \ 0 replies \ @freetx 17h
The code first checks for the existence of window.ethereum, an object injected by wallet extensions like MetaMask. If no wallet is found, it proceeds with a passive attack.
Hmm...yes I forgot about MetaMask....thats probably the intended target.
reply
0 sats \ 0 replies \ @Bell_curve OP 17h
Thanks!
reply
56 sats \ 0 replies \ @ek 17h
Our package-lock.json specified the stable version 1.3.2 or newer, so it installed the latest version 1.3.3, which got published just a few minutes earlier.
I assume they meant package.json and this only happens when you run npm install, not npm ci?
Isn't my package-lock.json specifying exactly which version of dependencies to install for npm ci?
reply
11 sats \ 0 replies \ @nitter 17h
https://xcancel.com/BTCsessions/status/1965136278946763209
reply