Massive Software Hack Puts Every Crypto Transaction at Risk

A major cyberattack has shaken the global software ecosystem and placed millions of crypto users at risk. Hackers hijacked a popular developer’s account on npm, the platform that powers much of the web, and slipped malicious updates into widely used code libraries.

These libraries are buried deep inside countless apps and websites. Together, they are downloaded more than a billion times each week. That scale makes this one of the largest software supply-chain compromises ever seen.

A New Malware Targeting Crypto Transactions

The malicious code targets cryptocurrency transactions. It works in two ways.

First, if no wallet is detected, the malware looks for crypto addresses inside a website and replaces them with attacker-controlled addresses. 

It uses clever tricks to swap them for look-alikes that are visually almost identical. This makes it easy for users to miss the switch.

DO NOT USE YOUR CRYPTO WALLET unless you know for sure it is not affected by the NPM Javascript Hack. From the code I reviewed, it looks like it targets browser based wallets like metamask by intercepting the browser's methods like fetch and XMLHttpRequest. The code chooses…

— Scott Emick 🇺🇸 (@semick) September 8, 2025

Second, if a wallet like MetaMask is present, the code actively changes transactions. 

When a user prepares to send funds, the malware intercepts the data and replaces the recipient with the attacker’s address. If the user signs without carefully checking, their money is gone.

Every Crypto User Could Be At Risk

The attack began when the npm account of the developer known as Qix was compromised. Hackers then published new versions of dozens of his packages, including the core utilities mentioned above.

Developers who updated their projects pulled in these poisoned versions automatically. Any website or decentralized application that deployed them could unknowingly expose their users.

The breach was uncovered only after a build error drew attention to strange, unreadable code inside one of the updated packages. 

Security experts later found it was a sophisticated “crypto-clipper” designed to silently redirect funds.

The threat is especially serious for anyone making transactions through a web browser. If you copied an address from a site, or if you signed a transfer without checking, you could be at risk.

Ledger’s Chief Technology Officer issued a stark warning on social media.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

What You Should Do Now

Experts recommend several urgent steps for all crypto holders:

• Verify addresses: Always read the full address on your wallet’s confirmation screen or hardware device before signing.
• Pause activity if unsure: If you use a browser-based or software wallet, consider holding off on transactions until more is known.
• Check recent activity: Review past transfers and approvals. If you see anything suspicious, revoke approvals and move funds to a new wallet.
• Use test transactions: When sending to a new address, transfer a small amount first to confirm it arrives safely.
• Rely on hardware wallets: Devices that show transaction details on a separate screen remain the most secure option.

The attack shows how fragile trust in the open-source software ecosystem can be. A single compromised developer account allowed hackers to push dangerous code into billions of downloads.

This incident is still unfolding. The malicious versions are being removed, but some may remain online for days or weeks. The safest approach is vigilance.

If you use crypto, check every transaction with care. One extra look at the address on your wallet could be the difference between safety and theft.