📅 September 8, 2025 | ⏱ 4 min read | 🔐 Category: Cybersecurity
Just hours ago, Aikido’s security and malware researchers uncovered a significant security breach involving several popular NPM packages. These packages, including widely used libraries like chalk, debug, and ansi-styles, with millions of downloads a week, were found to contain malicious code targeting crypto and web3 activities in browsers. This breach allows attackers to manipulate wallet interactions and redirect funds to their accounts without users knowing. The discovery was made by Aikido, who noticed unusual activity and quickly brought it to the attention of the maintainer via Bluesky.
The Breach and Its Impact
The compromised packages began releasing new versions containing obfuscated code that, when deobfuscated, revealed a complex script designed to intercept and manipulate crypto transactions. This code hooks into core browser functions like fetch, XMLHttpRequest, and wallet APIs such as window.ethereum. By doing so, it can silently alter network traffic and application APIs, making it a potent tool for attackers.
The malware operates by scanning network responses and transaction payloads for wallet addresses or transfers. It recognizes formats across various cryptocurrencies, including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. Once detected, it replaces legitimate destinations with attacker-controlled addresses using lookalike values to avoid detection.
How the Malware Operates
- Injection into the Browser: The malware hooks into essential functions to intercept web traffic and wallet activity, ensuring it can manipulate both.
- Monitoring for Sensitive Data: It scans for wallet addresses and transaction details, recognizing multiple cryptocurrency formats.
- Target Rewriting: Legitimate transaction destinations are replaced with attacker-controlled addresses, using lookalike values to minimize suspicion.
- Transaction Hijacking: Before transactions are signed, the malware alters parameters such as recipients and approvals, redirecting funds to attackers.
- Stealth Operations: The malware avoids obvious UI changes if a crypto wallet is detected, maintaining silent hooks to capture and alter real transactions.
Maintainer’s Response and Current Status
The author shared that the phishing email was a request to update his 2FA sent from [email protected]. The email was convincing, with the maintainer stating, “Looked legitimate at first glance. Not making excuses, just had a long week and a panicky morning and was just trying to knock something off my list of to-dos. Made the mistake of clicking the link instead of going directly to the site like I normally would (since I was mobile).”
And that “NPM has yet to get back to me. My NPM account is entirely unreachable; forgot password system does not work. I have no recourse right now but to wait.”
Despite attempts to remove the compromised code, at the time of writing, the package simple-swizzle remains affected. Users are advised to check their package versions. And take immediate action if an affected package has been installed.
Indicators of Compromise
The following package versions have been identified as compromised:
- backslash 0.2.1
- chalk-template 1.1.1
- supports-hyperlinks 4.1.1
- has-ansi 6.0.1
- simple-swizzle 0.2.3
- color-string 2.1.1
- error-ex 1.3.3
- color-name 2.0.1
- is-arrayish 0.3.3
- slice-ansi 7.1.1
- color-convert 3.1.1
- wrap-ansi 9.0.1
- ansi-regex 6.2.1
- supports-color 10.2.1
- strip-ansi 7.1.1
- chalk 5.6.1
- debug 4.4.2
- ansi-styles 6.2.2
This incident serves as a reminder of the vulnerabilities inherent in public package repositories. As open-source software continues to be a cornerstone of modern development, the risk of package compromise remains a significant concern. Attackers are increasingly targeting package maintainers through phishing and other deceptive tactics to gain access to popular libraries. Developers and users must remain vigilant, ensuring they use secure versions of packages and stay alert to any unusual activity. As the cybersecurity landscape evolves, proactive measures and community awareness are crucial in safeguarding against future threats.
Written by: Logan Elliott
Cyberix
https://cyberixsafe.com
