Ethereum, Solana Wallets Breached in Major ‘npm’ Incident, Losses Trivial at 5 Cents

Ethereum and Solana Wallets Targeted in npm Supply-Chain Attack, Losses Minimal

A widespread npm supply-chain attack briefly exposed billions of users to risk, though the actual financial loss was negligible. Security researchers describe it as one of the largest software supply-chain incidents in recent years.

The attack began Monday when a phishing email targeted a prominent Node.js developer behind widely used packages like chalk and debug-js, known in the developer community as “qix.” The email, sent from support@npmjs[.]help, redirected the developer to a spoofed two-factor authentication page hosted on BunnyCDN. The attacker harvested credentials—including username, password, and 2FA codes—gaining full access to the developer’s npm packages.

Once in control, the attacker republished all qix packages with a crypto-focused payload designed to intercept Ethereum and Solana transactions.

Malware Mechanics

The malicious code first checked for window.ethereum. If present, it intercepted Ethereum transaction functions—approve, permit, transfer, and transferFrom—and rerouted transactions to a single wallet: 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.

On Solana, the malware replaced recipient addresses with invalid strings starting with “1911…,” causing transfers to fail. It also hijacked network requests via fetch and XMLHttpRequest, scanning JSON responses for wallet-like strings and replacing them with one of 280 hardcoded alternatives to make them appear legitimate.

Impact and Response

Despite the enormous distribution, on-chain data shows the attacker stole only around five cents in Ether and about $20 in an illiquid memecoin, according to Security Alliance. The real cost lies in remediation, as developers and organizations now must update systems and audit code to prevent future attacks.

Wallet providers largely avoided losses. MetaMask confirmed that its security mechanisms—including version-locking, staged updates, LavaMoat, and Blockaid—blocked the malicious code and flagged compromised addresses. Ledger CTO Charles Guillemet noted that the malware briefly affected packages with over a billion downloads, silently replacing wallet addresses in transactions.

The incident follows recent reports of npm packages exploiting Ethereum smart contracts to conceal malware, disguising command-and-control activity as ordinary blockchain interactions.

While financial damage was minimal, the attack highlights the ongoing risk of software supply-chain vulnerabilities and the need for robust security practices.

If you want, I can next create 2–3 alternate versions: