SolHODL

🚨 BREAKING: Massive NPM Supply Chain Attack Targets Crypto Wallets! 🚨 If you're a dev or crypto user relying on Node.js packages, this is a wake-up call. Attackers hacked maintainer Sindre Sorhus's NPM account, injecting malware into 18 popular packages like chalk and debug ,these get over 2B downloads/week combined! I've researched this deep as a web/app security analyst. Let's break it down in this thread: how it works, what's affected, and a solid step-by-step to protect yourself. How it works: Malware sneaks in via new versions of these packages. Once installed (e.g., via npm install), it runs stealthy: - Monitors your clipboard for crypto addresses, swaps them with attacker ones using homoglyphs (look-alike chars, e.g., l vs I). - Hooks into web3 APIs in browsers, altering tx recipients before you confirm. This hits during copy-paste or wallet interactions. Similar to past attacks on Nx/React in July-Aug 2025 that stole creds, or April's fake PDF converters tampering Atomic/Exodus on Windows. It's part of a wave, August's nodejs-smtp fake mimicked Nodemailer to redirect BTC/ETH/USDT/XRP/SOL funds. Affected Packages (100% confirmed malicious versions): - backslash@0.2.1 - chalk-template@1.1.1 - supports-hyperlinks@4.1.1 - has-ansi@6.0.1 - simple-swizzle@0.2.3 - color-string@2.1.1 - error-ex@1.3.3 - color-name@2.0.1 - is-arrayish@0.3.3 - slice-ansi@7.1.1 - color-convert@3.1.1 - wrap-ansi@9.0.1 - ansi-regex@6.2.1 - supports-color@10.2.1 - strip-ansi@7.1.1 - chalk@5.6.1 - debug@4.4.2 - ansi-styles@6.2.2 If your project deps include these versions, you're at risk. Check package.json/lockfile NOW. Affected Chains: Malware targets addresses from: - Bitcoin (BTC) - Ethereum (ETH) - Solana (SOL) - Tron (TRX) - Litecoin (LTC) - Bitcoin Cash (BCH) It doesn't hit every chain, but these are confirmed. If you're on these, extra vigilance. Affected Wallets: - Browser extensions: MetaMask, Phantom, malware intercepts web3 calls, changes recipients pre-confirmation. - Desktop apps: Atomic Wallet, Exodus – can tamper files, persist post-removal (seen in similar attacks). Hardware wallets like Ledger and Trezor are SAFE! They display tx details on-device for verification, malware can't alter that. Always use hardware for big txs. Not affected: Mobile-only wallets without desktop/browser ties, but if your dev machine is infected, indirect risks. Step-by-Step to Stay Safe (Dev-Focused, but Applies to Users): 1. Audit your project: Open package.json and yarn.lock/package-lock.json. Search for the listed malicious versions. If found, act fast. 2. Pin safe versions: In package.json, add "overrides" (NPM) or "resolutions" (Yarn) to force prior safe releases, e.g.: "overrides": { "chalk": "5.3.0" // or last good version } Research exact safe versions per package on npmjs.com. 3. Nuke & Rebuild: Delete node_modules folder and lockfile. Run npm install (or yarn) to pull safe deps. 4. Scan for vulns: Use 'npm audit' or tools like Snyk before any installs. Enable 2FA on your NPM account. More Safety Steps: 5. For wallets: Disable browser extensions like MetaMask/Phantom temporarily if dev-infected. Reinstall desktop wallets (Atomic/Exodus) from official sites ONLY, verify hashes/wallets/addresses!. 6. Best practices: NEVER copy-paste addresses, type manually or use QR. Verify EVERY char on hardware wallet screen before signing. 7. Monitor: Check wallet activity for unauthorized txs. If suspect, rotate keys/seeds immediately. 8. Pause on-chain: No txs until all-clear from maintainers/security firms like Chainalysis. Bonus: Use virtual machines for dev to isolate risks. This is why supply chain security matters in crypto/dev world. I've seen too many rugs/hacks, stay vigilant! If you're hit or have questions, drop below. Sources: Check @P3b7_ original post and npm advisories. x.com/P3b7_/status/1… Stay safe out there!