Explained: how crypto’s ‘largest supply chain attack’ stole just $0.05

A widespread security supply chain attack led to panic across the crypto community yesterday with users warned to “refrain from making any on-chain transactions.”

Researchers at security firm Aikido raised the alarm after discovering that 18 popular node package manager (npm) packages contained malicious code.

After being notified, the developer who maintains the popular npm packages, alias Qix, confirmed the compromise. He’d been “pwned” via a phishing email which “looked very legitimate.”

Despite the packages being widespread across the crypto industry, the attack led to almost no losses.

Samczsun, the head of Security Alliance, a blockchain security collective, called the result a “generational fumble.”

my sincerest condolences to the person responsible for this, this was a generational fumble, the likes of which we will probably never see again https://t.co/nfiTU5K0Ig

— samczsun (@samczsun) September 8, 2025

Read more: ‘Decentralized’ apps suffer after Ledger Connect Kit attack

What is an npm compromise?

While short-lived, the compromise was far reaching, due to the sheer frequency at which packages such as “chalk” and “debug-js” are used.

Analysis of the incident by Security Alliance stated that the compromised packages total “over 2 billion downloads per week.” It called the incident “likely the largest supply chain attack in history.”

In theory, the compromised packages could be used to modify transaction data for crypto users.

The Aikido report explains how the code “intercepts crypto and web3 activity in the browser” before it “rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”

In an effort to camouflage the substituted addresses, the code uses the Levenshtein distance algorithm. This identifies visually similar attacker-controlled addresses to be injected in each attack.

The technique is similar to the often costly address poisoning attacks which plague the industry.

So, was the panic justified?

Warnings came in many forms. Some opted for measured recommendations to avoid signing transactions. Others made tongue in cheek claims that “THE BLOCKCHAIN IS COMPROMISED.”

PSA: THE BLOCKCHAIN IS COMPROMISED. DO NOT USE THE BLOCKCHAIN. pic.twitter.com/goWrdnJ3GT

— Gabriel Haines (@gabrielhaines) September 8, 2025

Read more: Starknet stutters, turns off and on again twice in one day

MetaMask, crypto’s most popular browser wallet, took to X to reassure users not to be “scared” of the attack. They detailed three “layers of defense” in place “to protect our products and users.”

0xngmi, the pseudonymous developer of decentralized finance dashboard DeFiLlama, explained that malicious packages would “only impact websites that pushed an update since the hacked npm package was published,” adding “most projects pin their dependencies, so even if they push an update they’ll keep using the old safe code.”

In all, the compromised packages were up for around two and a half hours. While the issue is marked as resolved on GitHub, Qix warns “other maintainers have been affected. Stay vigilant.”

The ‘dust’ settles

Once it became clear that the danger was limited, the community turned its focus to the attacker’s addresses.

Security Alliance identified a grand total of “around five cents of ETH” directly stolen during the attack.

Etherscan data show that the main address’ holdings are worth just over $900. However, around half that is 0.1 ETH, sent this morning, and various memecoins transferred for visibility.

Ridicule even came on-chain with one transaction input data message calling the attacker a “bloody fool.” The user made fun of the hacker who “hacked a massive npm developer account and still [couldn’t] steal [a] single penny. You are such a looser [sic].”

Security researchers took a moment to reflect, worrying that the bungled attempt may have “shown the way” for copycats.

Now that the clowns have shown the way, the slightly better skilled will try.

— Daniel Von Fange (@danielvf) September 8, 2025

Read more: The solution to crypto’s Lazarus problem could be simpler than expected

The Security Alliance X account says the industry “got lucky.” A “stealthily deployed backdoor” targeting developers could have persisted for long enough to be integrated into crypto apps.

Its incident report points to the true cost as the wasted “hours spent by engineering and security teams” and the “sales contracts that will inevitably be signed as a result of this new case study.”

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.