The JavaScript ecosystem has witnessed one of the largest supply chain attacks: hackers compromised the account of a well-known developer using the pseudonym qix in the NPM package manager. As a result, the attackers integrated malicious code into dozens of popular libraries, which collectively have over a billion downloads each week. The most affected utilities include chalk, strip-ansi, color-convert, color-name, is-core-module, error-ex, simple-swizzle, and has-ansi.
This is reported by Finway
How the Attack Worked and Who Was Affected
After the compromise of the qix account, a malicious script was introduced into the codebase of popular JavaScript packages, capable of substituting crypto addresses during transactions. In this way, the hackers attempted to steal users’ digital assets. The attack was only detected after one of the development teams noticed anomalies while building the project. Investigations revealed the presence of obfuscated code with functions like checkethereumw, aimed at stealing cryptocurrency.
According to Ledger’s CTO Charles Gilmert, this is a large-scale supply chain attack that has threatened the entire JavaScript ecosystem. He urged users to be particularly cautious when signing crypto transactions, and if they do not have a hardware wallet, to temporarily refrain from on-chain operations.
“The malicious code substitutes crypto addresses ‘on the fly’ to steal funds. If you are using a hardware wallet, carefully check each transaction before signing. If you do not have a hardware wallet, it is better to temporarily refrain from on-chain transactions.”
Community Response and Expert Recommendations
NPM Security analysts have already removed most of the infected versions of the libraries, and the author of the compromised package is collaborating with the security team. However, experts warn that malicious dependencies may still remain in the lockfile or cached builds, so the risk for projects persists.
Despite the massive scale of the attack, the financial losses turned out to be minimal: the hackers managed to steal only about $50 in Ethereum and meme coins. Security Alliance experts emphasize that such a compromise could grant access to millions of workstations. Even if the damages this time were insignificant, the consequences of similar attacks in the future could be catastrophic.
“The compromise of a developer’s account, whose packages are downloaded billions of times, can open access to millions of workstations. This time, the hackers earned pennies, but the consequences could have been catastrophic.”
Experts recommend that developers urgently audit the dependencies of their projects, lock libraries to the latest secure versions using overrides in package.json, and carefully check addresses during cryptocurrency payments, especially if a hardware wallet is not being used.
It is worth noting that in May 2025, Ledger faced a phishing attack after the account of a moderator of its Discord channel was hacked. This underscores the importance of adhering to cybersecurity practices and continuously monitoring dependencies in software projects.