Largest NPM Attack Stole Just $50 In Crypto

Key Takeaways

• The largest NPM attack in crypto history targeted popular JavaScript libraries in a massive supply chain breach.

• Despite the scope, less than $50 in crypto was stolen, primarily ETH and memecoins.

• Affected libraries were widely used, even in projects that didn’t directly install them.

• Malware functioned as a crypto clipper, silently swapping wallet addresses.

• Major platforms like MetaMask and Ledger remain unaffected.

How The Malware Worked: The Crypto Clipper

Security experts discovered that the malware was a crypto clipper, a type of malicious code that silently alters copied wallet addresses, redirecting funds to the attacker’s wallet during crypto transactions.

Samczsun, a pseudonymous researcher from SEAL, said:

“The hacker didn’t fully capitalize on the access they had, it’s like finding the keycard to Fort Knox and using it as a bookmark.”

The malware has reportedly been neutralized in most environments, and no ongoing threat has been identified beyond the initial infection.

Memecoins & Small ETH Transfers

Initially, only five cents worth of ETH was reported stolen, despite the fact that the hacker had access to potential millions.

Source: X (@_SEAL_Org)

That number later rose to around $50, including a mix of small-cap memecoins like:

• Brett (BRETT)

• Andy (ANDY)

• Dork Lord (DORK)

• Ethervista (VISTA)

• Gondola (GONDOLA)

All funds were funneled into the same malicious wallet address identified by the researchers.

Who’s At Risk?

Projects That May Be Affected

Even crypto projects that did not directly download the compromised packages may still be at risk if their dependencies pulled in infected code.

This includes:

• Wallet applications

• Decentralized applications (dApps)

• Backend services interfacing with blockchain networks

Projects That Confirmed Safety

Many major platforms have confirmed they are not impacted by the NPM attack, including:

• Ledger

• MetaMask

• Uniswap

• Phantom Wallet

• Aerodrome

• Blockstream Jade

• Revoke.cash

Source: X (@MetaMask)

These platforms credit their multi-layered defense systems and thorough dependency audits for their resilience against the supply chain breach.

Security Experts Advise Caution

Despite the low amount stolen so far, industry experts warn users to remain cautious.

0xngmi, founder of DefiLlama, said:

“Users won’t be instantly drained, but any project that updated their code after the malware was published could potentially be vulnerable, especially if users approve malicious transactions.”

Until a full cleanup is confirmed, it’s wise for crypto users and developers alike to:

• Avoid interacting with dApps that may have recently updated dependencies

• Double-check wallet addresses before confirming transactions

• Monitor project updates for disclosures related to the NPM breach

FAQ

What is an NPM attack?

An NPM attack involves injecting malicious code into packages distributed via the Node Package Manager. Because many apps rely on NPM packages, a single compromised package can affect thousands of projects.

How did the hacker compromise the NPM account?

While exact details are unclear, it’s likely the attacker obtained access credentials through phishing, credential stuffing, or poor account hygiene.

How can I tell if my crypto wallet was affected?

If you’ve interacted with a dApp or wallet app that recently updated packages like chalk or strip-ansi, you may be at risk. Watch for unusual transactions and consider revoking permissions using tools like Revoke.cash.

What is a crypto clipper?

A crypto clipper is malware that replaces a copied wallet address with the attacker’s address when you paste it into a transaction — silently redirecting your funds.

Is this attack still active?

No. As of now, the malware has been largely neutralized. However, residual risks may exist in projects that haven’t yet updated their dependencies.