- The NPM account of developer qix was compromised, injecting malware into popular libraries like chalk and strip-ansi.
- The malicious code intercepts transactions, replacing wallet addresses using the Levenshtein algorithm to trick unsuspecting users.
- Ledger CTO urged hardware wallet users to verify every transaction and warned software wallet users to avoid on-chain activity.
A large scale supply chain attack has put the JavaScript ecosystem and crypto users on high alert. According to Ledger CTO Charles Guillemet, the NPM account of a widely trusted developer, known as qix, was compromised, resulting in dozens of malicious package versions being published.
The impacted libraries, including chalk, strip-ansi, and color-convert, collectively receive over a billion downloads weekly. The injected malware functions as a “crypto-clipper,” capable of swapping wallet addresses during transactions, thereby diverting funds directly to attacker-controlled accounts.
How the Attack Was Discovered
The incident first surfaced after developers noticed unexplained build failures in continuous integration pipelines. The issue was traced back to a dependency called error-ex, which had just received a new patch release.
That version, published minutes before, contained heavily obfuscated code. Upon inspection, researchers uncovered a suspicious function named checkethereumw, which raised immediate concern.
Further investigation revealed the malware attempted to exploit modern Node.js environments using the global fetch function. In older environments, builds broke, unintentionally exposing the attack.
Without this failure, the malicious code could have silently infiltrated production systems unnoticed.
Dissecting the Malicious Payload
Analysis showed the code employs two distinct strategies. First, it performs a passive attack by intercepting browser network requests through monkey-patching fetch and XMLHttpRequest.
This allows it to monitor and replace outgoing crypto wallet addresses with attacker controlled ones. The replacement mechanism relies on the Levenshtein distance algorithm, selecting an address visually similar to the victim’s original.
This makes detection difficult for users casually reviewing addresses. Secondly, if a crypto wallet like MetaMask is detected, the malware escalates to an active attack.
It hijacks communication methods such as request and send, altering transaction data before it reaches the wallet. As a result, unsuspecting users may authorize payments to attacker addresses unless they carefully verify each detail on confirmation screens.
Security Warnings and Mitigation Steps
Guillemet urged hardware wallet users to verify every transaction before signing, emphasizing that clear signing prevents such manipulations. He warned those using software wallets to avoid on-chain transactions until the threat is contained.
Although the malicious packages have largely been removed, risks remain due to cached versions in dependency trees and lockfiles. Developers are advised to audit projects immediately and use the overrides feature in package.json to lock dependencies to safe versions.
Ongoing collaboration between the package author and the NPM security team is addressing the breach, but thorough audits are key to ensure malicious code is fully eliminated.
