Ethereum, Solana Wallets targeted with ‘NPM’ attack with billions -billions of downloads, only 5 cents were taken

A phishing email on Monday dropped to one of the most practical developers of the node.JS by pushing the malicious code into packages downloaded billions of times a week, as researchers have called the largest supply-chain supply-chain attack of the software in recent times.

While the scope of attack is massive, the Security Alliance said in a Report of Tuesday that the attacking walked away with a little cent. However, security teams are now facing the huge cost of updating backend systems to counter additional attacks.

A very well -known caregiver whose work (Like chalk and debug-js) Trained in billions of downloads each week, known as “QIX,” responsible for libraries such as chalk and debug-JS, was compromised last week after receiving an email from support@npmjs (.) Help. The domain was once directed to a Russian server and redirected to a spoofed two-factor authentication page hosted on the BunnyCDN content delivery network.

The credentials the steal reap the username, password, and 2FA code before sending them to a distant host. Throughout the access, the attack published each QIX package with a crypto-focused payload.

Node package manager (shortened to NPM, not NPM) is like an App Store for developers and where coders download small code blocks (called packages) Instead of writing everything from the beginning. A Guardian is the person or creature that creates and updates packages.

How did the attack happen

The injected code is simple. It checks if the window.ethereum is present and, therefore, is located in the operations of the main transaction of Ethereum. Calls to approve, allow, move, or transferfrom are quietly -rerout in a single purse, “0xFC4A4858BAF54D1B1D7697BFB5C52F4C166976.”

Any transaction with Ethereum with value and no data has also been redirected. For Solana, the recipients of the malware overwrote with an invalid string starting “1911 …,” the transfer violation of the transfer.

Network requests are also blocked.

By fetch and XMLHHTTPREQUEST, the Malware -SCAN RESPONSIBILITY JSON’s Responses for substings resembling purse addresses and replaced them with one of the 280 hardcoded alternatives to look deceptively similar.

Impact of Attack

But for all distribution, the effect is not neglected.

On-chain data shows that the attack has only received around five cents of Ether and about $ 20 worth of an unobtrusive memecoin that has exchanged less than $ 600 in volume, the Security Alliance report said.

The popular browser wallet metamask also said X. That it is not affected by the NPM Supply Chain Attack as wallets locked its Code versions, uses manu -automatic checks, and releasing updates in stages. It also uses “Lavamoat,” which blocks the malicious code even inserted, and “blockaid,” which quickly drops compromised purse addresses, to maintain bay attacks.

Meanwhile, meanwhile Ledger CTO Charles Guillemet warns That the malicious code was pushed into packages with more than one billion downloading and designed to silently replace the wallet addresses in the transactions.

Attacking is following another Case -Flag last week by reversinglabs.