NPM Hack: Over a Billion Downloads Compromised

The JavaScript ecosystem and cryptocurrencies face one of the biggest security incidents of the year. In early September 2025, a NPM developer account, a key platform for millions of projects, was compromised and used to distribute malicious packages.

The attack has an unprecedented scale: the affected packages have surpassed one billion downloads, with the ability to alter crypto transactions in real time.

The NPM compromise and its impact

The attack began when a trusted NPM developer account was breached, apparently through social engineering techniques. Once inside, the attackers published infected versions of at least eighteen popular packages, used as dependencies in all kinds of projects, from web applications to development tools.

The impact was immediate and massive. These packages had been downloaded more than one billion times in the last week alone, making this incident the largest recorded supply chain attack against NPM so far.

The magnitude of the spread shows how trust in widely used libraries can quickly turn into a vector for global attacks.

An attack designed to steal cryptocurrencies

The malicious payload included in the packages had a clear purpose: to redirect user funds.
The injected code silently replaced destination addresses in transactions, so that the user believed they were sending funds to a legitimate account, while in reality they were being transferred to an attacker-controlled address.

This type of manipulation is especially critical in the crypto space, as signed operations cannot be reversed. According to Charles Guillemet, CTO of Ledger, the threat is transversal and can affect any blockchain, increasing the severity of the case and forcing the community to take extreme precautions.

Risks for hardware and software wallets

The risks vary depending on the type of wallet used:

• Hardware wallets (Ledger, Trezor): offer greater protection but are not invulnerable. Users must carefully verify every transaction detail before approving it on their devices, as this review constitutes the final line of defense.

• Software wallets: are at higher risk. Transactions can be intercepted and manipulated without the user noticing. The immediate recommendation is to suspend on-chain operations until the scope of the attack becomes clear.

One point of uncertainty is that it has not yet been confirmed whether the attackers also attempted to steal seed phrases, which, if verified, would further increase the consequences of the incident.

A growing chain of attacks

This is not an isolated event, but part of a growing trend throughout 2025:

• July: packages like got-fetch and eslint-config-prettier were compromised to distribute malware stealing sensitive information.
• May: more than sixty NPM packages and Visual Studio Code extensions included malicious code to collect IP addresses, credentials, and configuration data.
• August: the Nx framework was targeted with malware capable of extracting tokens, SSH keys, and GitHub credentials, even using artificial intelligence to enhance reconnaissance phases.

The continuity of these incidents demonstrates that supply chain attacks are no longer sporadic, but a recurring pattern that exploits the trust developers and users place in open-source projects.

Mitigation and response strategies

Immediate measures suggested include:

• For cryptocurrency users:

  • Restrict usage to hardware wallets.
  • Avoid operations with software wallets until official confirmation.
  • Verify every transaction in detail before signing.

• For developers:

  • Thoroughly audit used dependencies.
  • Confirm that installed versions match official releases.
  • Implement SCA tools and generate SBOM lists.
  • Strengthen authentication of NPM accounts.

NPM has already disabled the compromised packages, although it is still working on recovering the affected account and redistributing safe versions.

Conclusion

The detected attack represents one of the most severe episodes in the history of NPM and clearly exposes the fragility of the software supply chain.

With more than one billion downloads affected, the threat has had a global reach, endangering both developers and cryptocurrency users. The uncertainty surrounding the possible theft of seed phrases further increases the urgency to remain cautious.