A massive software supply chain attack has compromised millions of crypto users by targeting popular open-source code libraries used in web apps and wallets. The attack is already stealing funds across multiple blockchains.

• What happened: 18 popular software libraries on NPM (used by millions of apps) were secretly injected with malicious code.
• How it works: The malware swaps legitimate wallet addresses with attacker-controlled ones during transactions.
• How much is lost: Initially $50, now over $500 stolen, according to Arkham Intelligence.
• Security precautions: Verify full addresses, send test transactions, use hardware or air-gapped wallets.

‍

What Actually Happened

If you’ve never heard of NPM, you’re not alone. It’s not a blockchain project—it’s a software “package manager” used by developers worldwide. Think of it as an app store for pieces of code. Every time you use a web app, chances are it relies on dozens (if not hundreds) of these packages in the background.

The attack struck when hackers compromised the account of a respected maintainer and published malicious updates to 18 widely used packages. Together, these libraries are downloaded over 2.6 billion times each week. That means the poisoned code spread instantly into countless apps and services, including those that handle cryptocurrency transactions.

Even though the infected versions were online for only about two hours, that was enough time for exposure to spread across the internet.

‍

How the NPM Supply Chain Attack Works

The malicious code was tailored specifically to steal cryptocurrency. Here’s how it operated:

• Clipboard Hijacking: If you copied a crypto address to your clipboard (e.g., to send Bitcoin), the malware silently swapped it with the attacker’s address. Because many users only check the first and last few characters, this trick works frighteningly well.
• Address Spoofing with Lookalikes: Instead of inserting a completely different string, the attacker generated addresses that looked similar to the victim's legitimate addresses. This made the theft harder to notice until it was too late.
• Transaction Interception: For blockchains like Ethereum and Solana, the malware hooked into wallet APIs and monitored transaction requests and replaced the destination address with the attacker’s before you signed it.

‍

Which Blockchains Were Targeted

The attackers went multi-chain from the start, coding their malware to recognize different address formats and transaction flows. The following blockchains were confirmed targets:

• Bitcoin (BTC)
• Ethereum (ETH)
• Litecoin (LTC)
• Solana (SOL)
• TRON (TRX)
• Bitcoin Cash (BCH)

‍

Tracking the Attacker: Arkham Intelligence

Blockchain analysis platform Arkham Intelligence has already flagged the attacker as an entity in its system. The wallets linked to the hack are being tracked in real time.

• Initially, only $50 worth of crypto had been siphoned.
• That number has since risen to over $500.
• The dedicated Arkham entity view shows exactly which wallets are receiving stolen funds.

‍

Security Recommendations for Crypto Holders

1. Always Verify Transactions

• Don’t trust just the first and last few characters—read the full address.
• Send a small test transaction before moving large amounts.
• Be aware that malware can replace clipboard contents—don’t assume what you copied is what you’ll paste.

2. Use Hardware Wallets (with Screens)

Ledger’s CTO reminded the community: “What You See Is What You Sign.”

• A hardware wallet shows you transaction details on its own secure screen.
• You must physically confirm before signing, making it nearly impossible for malware to alter the recipient behind the scenes.

3. Wallet Etiquette

• Store Bitcoin on a dedicated Bitcoin-only device. Don’t mix it with every altcoin wallet you have.
• Avoid blind signing smart contracts. Always check what permissions you’re granting.
• Don’t reuse Bitcoin addresses. It improves privacy and reduces potential risks tied to future quantum computing.

4. Consider Air-Gapped Wallets

An air-gapped wallet (offline device) assumes your PC or mobile phone is already compromised. These devices never connect directly to the internet, reducing exposure to malware.

5. Stay Informed About Other Attack Types

Clipboard hijacking is only one method. Others include:

• UI Spoofing: Where the interface shows you the “correct” address, but the signed transaction points elsewhere.
• Approval Draining: On Ethereum and similar chains, attackers trick you into granting unlimited spending rights.

‍

Wallets Safe from This Attack

Educator @BTCSessions compiled a list of hardware and software wallets unaffected by this specific NPM attack. If you’re worried, cross-check your wallet against that list before sending funds.

‍

Bigger Lessons From the Attack

The reality is that your computer, browser, and phone can always be compromised. The attacker doesn’t need to break Bitcoin—they just need to trick you into sending it to the wrong place.

This is why air-gapped and hardware wallets exist: they operate on the assumption that your regular device is already infected. By shifting the signing process onto a secure, isolated device, you regain control.

‍

Time to Get a Hardware Wallet

This NPM supply chain attack is a clear signal: the days of storing serious crypto on hot wallets or browser extensions should be over.

If you hold meaningful amounts of Bitcoin or other crypto:

• Always verify addresses manually.
• Do test transactions before sending large sums.
• Get a hardware wallet—Ledger, Trezor, Coldcard, Passport, Keystone or similar.
• Or even build your own using open-source projects like Specter DIY or Seedsigner.

The cost or effort of proper wallet security is nothing compared to the risk of losing your funds forever.

The lesson is simple: if you value your Bitcoin, treat your wallet setup like it’s already under attack—because after this NPM hack, that’s closer to the truth than ever.

‍

Brought to You by Flush, the Ultimate Crypto Casino Destination for Gaming Enthusiasts

At Flush, a leading Crypto casino, you can enjoy a seamless, secure gaming experience with real money online slots, live casino games like poker, blackjack, baccarat, roulette, and much more. As a premier crypto casino, Flush features top titles from providers like Nolimit City, Hacksaw Gaming, Pragmatic Play and many more, ensuring an exciting lineup of games for every player.

New players can claim a massive 150% deposit bonus to boost their bankroll and dive into the action. Plus, every slot spin earns you points for our Weekly Races, where $10,000 in prizes is up for grabs.

Join Flush today and experience the thrill of real money gaming with cryptocurrency—fast, secure, and unforgettable.

‍