news

Over 1 Billion Downloads at Risk in Historic NPM Hack, But Only $50 Lost So Far

Nahid
Published: September 9, 2025
4 min read
Over 1 Billion Downloads at Risk in Historic NPM Hack, But Only $50 Lost So Far

STAY UPDATED WITH COTI

Follow COTI across social media platforms to get the latest news, updates and community discussions.

X IconFollow on XTelegram IconJoin Telegram
Facebook
Instagram
LinkedIn
YouTube

TL;DR

  • Hackers breached a Node Package Manager (NPM) account tied to a popular developer.
  • Malicious code was added to JavaScript libraries downloaded over 1 billion times.
  • Attack targeted Ethereum and Solana wallets through injected malware.
  • Despite the massive scope, only $50 worth of crypto has been stolen so far.
  • Security researchers warn projects to check dependencies and avoid updates until cleaned.

A supply chain attack described as the largest in NPM history shook the crypto and developer community this week. According to Security Alliance (SEAL), hackers broke into the NPM account of a well-known software developer and planted malicious code in widely used JavaScript libraries.

These libraries have already been downloaded more than 1 billion times, meaning countless websites and apps could potentially be exposed. The malware was specifically designed to intercept crypto wallet activity, targeting both Ethereum and Solana users.

The Damage - Just $50

Despite the massive reach, the actual stolen amount remains shockingly small: less than $50 in crypto.

SEAL traced the attack to a malicious Ethereum address - 0xFc4a48 - which received a handful of tokens. The address collected about five cents worth of ETH and roughly $20 worth of a memecoin, alongside small amounts of niche tokens such as Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).

SEAL shared the finding on X, noting that this address is the only one linked to the hack so far.

Why This Matters Even If Losses Are Small

At first glance, $50 sounds like a harmless outcome. But experts warn that the real danger is not the stolen funds - it's the method of attack.

Supply chain hacks allow malicious code to sneak into trusted software dependencies. In practice, this means that websites or applications unknowingly push updates containing harmful code. For users, the risk is subtle: the malware could alter what happens when they click "swap" or approve a wallet transaction.

Security researcher 0xngmi, founder of DeFiLlama, explained it clearly:

"In any website that uses this hacked dependency, the hacker can inject malicious code. So, for example, when you click a 'swap' button, the code might replace the transaction with one sending money to the hacker. But you'd still see the bad transaction in your wallet and need to approve it - it's not like you'll instantly get drained." Source   

In other words: your wallet isn't automatically compromised, but extra caution is required.

Why the Impact Is Limited

Fortunately, several factors have reduced the severity of this attack:

  • Most crypto projects "pin" their dependencies - meaning they stick with older versions of libraries instead of pulling the newest one.
  • The malware only affects websites or apps that updated after the hack.
  • Users would still need to manually approve any malicious transaction.

0xngmi added that while the risk is smaller than it first appeared, users still can't know for certain if a project pinned dependencies. The safest advice for now: be cautious when using crypto websites until developers confirm their software is clean.

A Wake-Up Call for Web3

Even with minimal financial losses, the incident is being described as a "wake-up call" for the crypto industry.

Supply chain hacks are especially dangerous because they don't attack a single project directly - instead, they compromise the shared tools that hundreds of projects rely on. In this case, JavaScript libraries are at the heart of countless websites, wallets, and apps.

If the hackers had executed more aggressively, the damage could have been catastrophic. The fact that only $50 was stolen may indicate that the attackers were testing their method, or that they lacked the infrastructure to exploit it at scale.

What's Next

For now, developers are rushing to check their codebases and confirm whether their projects pulled in the compromised libraries. SEAL is continuing to monitor the malicious address and will publish updates as more information surfaces.
Users, meanwhile, are advised to:

  • Avoid interacting with lesser-known crypto websites until updates are confirmed.
  • Double-check transaction details in wallets before approving.
  • Stay updated through trusted security platforms like SEAL.

Final Thought

The largest NPM supply chain hack in crypto history ended with a surprisingly small haul - less than $50. But the outcome should not distract from the bigger issue. If attackers can slip malware into widely used libraries, they can reach across an entire industry at once.

This time, crypto got lucky. Next time, it might not.

 

Related Topics

#Hack#NPM Hack

About the Project

Altcoins

About the Author

Nahid

Nahid

Based in Bangladesh but far from boxed in, Nahid has been deep in the crypto trenches for over four years. While most around him were still figuring out Web2, he was already writing about Web3, decentralized protocols, and Layer 2s. At CotiNews, Nahid translates bleeding-edge blockchain innovation into stories anyone can understand — proving every day that geography doesn’t define genius.

View all articles

Disclaimer

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official stance of CotiNews or the COTI ecosystem. All content published on CotiNews is for informational and educational purposes only and should not be construed as financial, investment, legal, or technological advice. CotiNews is an independent publication and is not affiliated with coti.io, coti.foundation or its team. While we strive for accuracy, we do not guarantee the completeness or reliability of the information presented. Readers are strongly encouraged to do their own research (DYOR) before making any decisions based on the content provided. For corrections, feedback, or content takedown requests, please reach out to us at

contact@coti.news

Stay Ahead of the Chain

Subscribe to the CotiNews newsletter for weekly updates on COTI V2, ecosystem developments, builder insights, and deep dives into privacy tech and industry.
No spam. Just the alpha straight to your inbox.

We care about the protection of your data. Read our Privacy Policy.