Browser-based malware targets crypto wallets through poisoned npm packages downloaded billions of times each week
- Over 18 widely used npm packages were compromised after a phishing attack on a single open-source maintainer.
- The packages received more than 2 billion downloads per week, spreading malicious code to thousands of downstream projects.
- The injected malware targeted browser wallets like MetaMask and Phantom, aiming to steal cryptocurrencies such as Ethereum, Bitcoin, and Litecoin.
- This is the largest known supply chain attack in npm’s history, with a massive global blast radius and real-world financial impact.
- The breach underscores the fragility of the trust-based open-source model, where a single point of failure can compromise the global software ecosystem.
- Check Point urges security teams to adopt proactive supply chain security measures, including dependency auditing, lockfile enforcement, and AI-powered runtime protection.
On September 8, 2025, the JavaScript ecosystem experienced a major supply chain breach that security researchers call the largest in npm history. A single phishing email sent to a prominent maintainer led to the compromise of over 18 critical npm packages, tools that together account for more than 2 billion weekly downloads.
The attacker’s malware, injected into packages like chalk, debug, and supports-color, was engineered to steal cryptocurrency by silently hijacking browser wallet transactions. Among the targeted currencies were Solana, Ethereum, and Bitcoin, making this not only a supply chain event but a coordinated crypto heist.
The malware operated entirely in browser environments, targeting users of MetaMask and Phantom by intercepting and replacing wallet addresses in real time. Detection came quickly, thanks to researchers at Aikido Security, but the initial damage had already spread.
This attack also highlights the ongoing fragility of open-source ecosystems, where trust and convenience often outweigh security hygiene. It’s a reminder that security must shift left, and right, covering the full software lifecycle.
Adi Bleih, Cyber Researcher, Check Point External Risk Management :
“This breach wasn’t just a phishing mistake, it was a calculated attack on trust, the kind that ripples across thousands of apps and millions of users,” said Adi Bleih, Security Research Group Manager at Check Point Software Technologies. “It shows how easily one vulnerable account can become the launchpad for a global software supply chain crisis.”
Check Point Recommendations:
- Use npm ci and lockfiles to prevent unverified installations
- Audit dependencies using tools like Check Point CloudGuard Spectral
- Require hardware-based 2FA for package maintainers
- Implement AI-powered runtime threat detection and prevention, such as the Infinity Platform
The Great NPM Heist may fade from headlines, but the underlying risk won’t. As the software supply chain continues to expand, so does the opportunity for attackers. Now is the time to rethink how trust, verification, and prevention intersect in modern development.
