Breaking News: Crypto Funds at Risk from Massive Supply Chain Attack
Crypto Hack: What Happened?
A widely used npm package, error-ex, was tampered with in its 1.3.3 release. Hidden inside was obfuscated code that activates two dangerous attack modes:
- Clipboard Hijacking: When you paste a wallet address, the malware silently swaps it with the attacker’s lookalike address.
- Transaction Interception: If you use a browser wallet, the code can intercept transaction calls and change the recipient’s address before you even see the confirmation screen.
This makes it nearly impossible to notice unless you carefully check every single character of the address you’re sending to.
Who’s at Risk from this Crypto Hack?
- Developers: Any project pulling dependencies without strict version pinning may have installed the infected version. This could affect CI pipelines, production builds, and apps that rely on JavaScript.
- Crypto Users: The malware targets major assets including $ BTC , $ETH, $SOL, $TRX, $LTC, and $BCH. Both clipboard users and browser wallets are at risk.
- Platforms: Even centralized apps integrating npm libraries may have unknowingly included the malicious code.
Which Companies were Affected?
Already, SwissBorg confirmed a breach linked to a compromised partner API. Roughly 192.6K SOL (~$41.5M) was drained in the attack. While the SwissBorg app itself remains secure, its SOL Earn Program was hit, affecting <1% of users. The platform has promised recovery measures, including treasury funds and support from white-hat hackers.
How to Protect Yourself
Here’s what you need to do right now:
For Wallet Users
✅ Always verify every transaction — check the full recipient address before signing.
✅ Use a hardware wallet with clear signing enabled.
✅ Avoid unnecessary browser wallet extensions.
✅ If something feels off (unexpected signing requests), close the tab immediately.
For Developers
⚙️ Switch CI builds from npm install to npm ci to lock dependencies.
⚙️ Run npm ls error-ex to detect infected installs.
⚙️ Pin safe versions (error-ex@1.3.2) and regenerate lockfiles.
⚙️ Add dependency scanners like Snyk or Dependabot.
⚙️ Treat package-lock changes with the same scrutiny as code reviews.
Outlook
This incident highlights the fragility of supply chains in Web3 and beyond. A small package compromise can cascade into billions of downloads, hitting both developers and crypto holders worldwide. The immediate danger lies in address-swapping attacks, but the broader concern is how deep this could spread into financial infrastructure.
For now: check before you sign, pin your dependencies, and don’t take security shortcuts.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Bitcoin wobbles after shocking US jobs revision: What’s next for BTC?
From Tenant to Broker: The Crypto Business in Trump Tower
Living below the seat of power, let the elevator of wealth go straight to your own office.
"Seizing Power" from the Federal Reserve: US Treasury Secretary Calls for Comprehensive Review of the Fed
Besant's opinion piece appears to indicate that the Trump administration's criticism of the Federal Reserve is escalating—not only demanding interest rate cuts, but also beginning to question the Fed's overall operational model and its foundation as an independent institution.
Breaking Down the Walled Garden: How Does Ondo Global Market Bring 100+ US Stocks On-Chain?
Make financial markets truly globalized, democratized, and programmable.
Trending news
MoreCrypto prices
More
