{ "id": 48571, "date": "2025-09-09T09:55:03", "date_gmt": "2025-09-09T02:55:03", "guid": { "rendered": "https:\/\/hbbgroup.net\/largest-npm-attack-in-crypto-history-stole-less-than-50-seal\/" }, "modified": "2025-09-09T09:55:03", "modified_gmt": "2025-09-09T02:55:03", "slug": "largest-npm-attack-in-crypto-history-stole-less-than-50-seal", "status": "publish", "type": "post", "link": "https:\/\/hbbgroup.net\/en_us\/largest-npm-attack-in-crypto-history-stole-less-than-50-seal\/", "title": { "rendered": "Largest NPM attack in crypto history stole less than $50: SEAL" }, "content": { "rendered": "
\n
\n

Hackers broke into the node package manager (NPM) account of a well-known software developer and added malware to popular JavaScript libraries, targeting crypto wallets. <\/p>\n

\"Largest<\/picture><\/div>\n
\n
\n
\n

Hackers have only managed to steal $50 worth of crypto from a massive supply chain hack affecting JavaScript software libraries, industry security researchers say.<\/p>\n

Crypto intelligence platform Security Alliance shared<\/a> the findings on Monday after hackers broke into the node package manager (NPM) account of a well-known software developer and added<\/a> malware to popular JavaScript libraries that have already been downloaded over 1 billion times, potentially putting countless crypto projects at risk. Ethereum and Solana wallets were specifically targeted, Security Alliance said.<\/p>\n

Fortunately, less than $50 has been stolen from the crypto space so far, the security firm said, identifying Ethereum wallet address \u201c0xFc4a48\u201d as what it believes to be the only malicious address so far. It added<\/a> on X: <\/p>\n<\/div>\n

\u201dPicture this: you compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.\u201d<\/p><\/blockquote>\n

Source: <\/em>Security Alliance<\/em><\/a><\/figcaption><\/figure>\n

The $50 figure was, however, bumped<\/a> up from five cents a few hours earlier, suggesting the potential damage may still be unfolding.<\/p>\n

ETH, memecoin among small amount of crypto stolen<\/h2>\n
\n

The five cents stolen were in Ether (ETH<\/a>) while another $20 worth of a memecoin was compromised, Security Alliance said. <\/p>\n

Etherscan data<\/a> shows the malicious address has received Brett (BRETT<\/a>), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA) memecoins so far.<\/p>\n<\/div>\n

Crypto projects that didn\u2019t download the NPMs still at risk<\/h2>\n

The breach targeted packages such as\u00a0chalk,\u00a0strip-ansi,\u00a0and\u00a0color-convert\u00a0\u2014 small utilities buried deep in the dependency trees in countless projects. Even devs who never installed them directly could be exposed.<\/p>\n

The attackers appear to have planted a\u00a0crypto-clipper, a type of malware that silently replaces wallet addresses during transactions to divert funds. <\/p>\n

\n

Ledger chief technology officer Charles Guillemet was among many who have urged crypto users to proceed with caution when confirming onchain transactions.<\/p>\n

In a separate post, Ledger said<\/a> its devices weren\u2019t directly affected by the NPM attack.<\/p>\n<\/div>\n

You won\u2019t be instantly drained, crypto founder says<\/h2>\n