The compromised NPM account of one web developer has caused a massive supply chain attack, but hackers have only won a few cents in crypto, analysts say.
The unknown hackers have pulled out what could be the biggest software supply chain attack ever, but they’ve still been less than the prices of many members.
On Monday, September 8th, hackers broke into the accounts of famous JavaScript developers known as “QIX” and pushed dozens of widely used software tools to build websites and apps that are downloaded more than a billion times a week.
After gaining access, the hacker added malicious code to all developer packages. This is not a virus in the traditional sense, but is designed to steal cryptocurrency from the user’s crypto wallet in the browser.
Because developer updates are usually automatically trusted, attacks quickly create confusion, so when newer versions come in, many projects and apps accept them without checking, spreading hacker code quickly.
Snir Levi, founder and CEO of compliance and threat management platform Nominis, told Defiant that code reuse is “the backbone of the entire ecosystem,” so one compromised NPM account can cascade thousands of projects and businesses, making the latest software supply chain “incredibly interconnected.” NPM is a registry of JavaScript software packages.
“The interests aren’t just technical. Malicious packages of critical dependencies can affect millions of users, travel billions of dollars, and undermine trust in industry integrity. The incident highlights that security doesn’t just protect infrastructure.
Malicious code, primarily targeting Ethereum and Solana transactions, was created to exchange destination addresses for hacker wallets, the Security Alliance wrote in a blog post after the attack on Monday.
Cybersecurity experts say the code also tried to rewrite it as representing a cryptographic address within web traffic.
“Generational Fumble”
On paper, the attack was devastating in terms of actual losses, but the Security Alliance says the hackers only made around $0.05 worth of ETH and $20 on Memecoin.
“Despite the magnitude of the violation, attackers only appear to have been “stolen” about five cents of ETH, which has a trading volume of a whopping $588 for the past 24 hours, and only $20 Memecoin,” the Security Alliance said.
Commenting on the attack on the X-Post, Samczsun, pseudonym, white hat hacker and founder of the Security Alliance, described the incident as “a generational fumble that will probably never be seen again.”
Harry Donnelly, CEO of Digital Asset Recovery Company Circuit, proposed in the rebel commentary that the attack is far from the last attack, as there are “a lot of dependencies and vulnerabilities in the crypto supply chain.”
“This attack is an example of how something as small as an open source package installed by a single developer can create an unintended attack vector. Even if the payload is exchanged, taking steps to deal with malicious activity is extremely important to prevent funds from being stolen,” added Donnelly.