Ethereum and Solana Wallets Hit in Massive ’npm’ Attack—Hackers Only Nab 5 Cents
Attackers targeted npm—the world’s largest software registry—in a brazen supply-chain attack aimed squarely at Ethereum and Solana crypto wallets.
Just five cents stolen.
Talk about an ROI even a hedge fund wouldn’t touch.
The attackers slipped malicious code into popular npm packages, hoping to snatch private keys and drain high-value wallets. Yet the final haul barely covered transaction fees.
This isn’t the first time npm has been abused for crypto theft—and it won’t be the last. But this particular heist goes down as one of the least profitable in hacking history.
Stay sharp, update your dependencies, and maybe—just maybe—keep your keys off npm.
How the attack happened
The injected code was simple. It checked if window.ethereum was present and, if so, hooked into Ethereum’s Core transaction functions. Calls to approve, permit, transfer, or transferFrom were silently rerouted to a single wallet, “0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.”
Any ethereum transaction with value and no data was also redirected. For Solana, the malware overwrote recipients with an invalid string beginning “1911…,” breaking transfers outright.
Network requests were also intercepted.
By hijacking fetch and XMLHttpRequest, the malware scanned JSON responses for substrings resembling wallet addresses and replaced them with one of 280 hardcoded alternatives to look deceptively similar.
Impact of the attack
But for all the distribution, the impact was negligible.
On-chain data shows the attacker received only around five cents of ether and about $20 worth of an illiquid memecoin that traded less than $600 in volume, the Security Alliance report said.
Popular browser wallet MetaMask also said on X that it was not affected by the npm supply chain attack as the wallet locks its code versions, uses manual and automated checks, and releases updates in stages. It also employs "LavaMoat," which blocks malicious code even if inserted, and "Blockaid," which rapidly flags compromised wallet addresses, to keep such attacks at bay.
Meanwhile, Ledger CTO Charles Guillemet warned that the malicious code had been pushed into packages with over a billion downloads and was designed to silently replace wallet addresses in transactions.
The attack follows another case flagged last week by ReversingLabs, where npm packages used Ethereum smart contracts to conceal malware links — a technique that disguised command-and-control traffic as ordinary blockchain calls.
