Massive npm Attack Targets Ethereum and Solana Wallets, Minimal Funds Stolen

A sophisticated supply-chain attack has compromised numerous packages within the Node Package Manager (npm) registry, targeting developers of Ethereum and Solana wallets. The attack, which involved injecting malicious code into widely downloaded packages, aimed to steal cryptocurrency credentials. Despite the broad reach and potential for significant damage, the financial impact on users was remarkably low, with attackers reportedly stealing only a few cents.

Key Takeaways

• Malicious npm packages were distributed, impersonating legitimate developer tools and infrastructure.

• The attack targeted Ethereum and Solana wallet credentials, including private keys and seed phrases.

• Despite widespread downloads, the financial losses were minimal, amounting to mere cents.

• The attack vector involved compromising a popular npm maintainer through a phishing email.

The Attack Unveiled

Researchers have identified a large-scale software supply-chain attack that infiltrated the npm ecosystem. The breach occurred when a prominent npm maintainer, known for popular libraries like and with billions of weekly downloads, fell victim to a phishing email. This email led to the compromise of their account, allowing attackers to republish their packages with malicious code. The injected code was designed to detect the presence of and hook into Ethereum's core transaction functions, rerouting transactions to an attacker-controlled wallet. For Solana, the malware corrupted transfer recipients. Network requests were also intercepted to scan for and replace wallet addresses with malicious ones.

Impersonation and Data Exfiltration

Further analysis revealed a separate set of malicious packages uploaded to npm by a user named "flashbotts." These packages masqueraded as legitimate cryptographic utilities and Flashbots MEV infrastructure. They were designed to exfiltrate private keys and mnemonic seed phrases to a Telegram bot controlled by the threat actor. Libraries like and were particularly concerning, with the former exfiltrating environment variables and redirecting unsigned transactions, while the latter aimed to steal private keys. The presence of Vietnamese language comments in the source code suggests a Vietnamese-speaking threat actor.

Impact and Mitigation

Despite the extensive distribution of the compromised packages, the financial impact was negligible. On-chain data indicates that the attacker only managed to steal approximately five cents worth of Ether and a small amount of an illiquid memecoin. Popular wallet providers like MetaMask reported that they were not affected due to robust security measures, including code locking, manual and automated checks, staged updates, and the use of security tools like LavaMoat and Blockaid. However, the incident highlights the significant costs security teams face in updating backend systems to counter such sophisticated supply-chain attacks.

Sources

• Ethereum, Solana Wallets Targeted in 'npm' Attack With Billions of Downloads, Just 5 Cents Taken, CoinDesk.

• Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys, The Hacker News.