Quick Take
- Hackers compromised popular NPM libraries used by millions of apps
- Malware swaps crypto wallet addresses to steal funds
- Users urged to check transactions and update apps immediately
What Happened
A major hack has hit the JavaScript ecosystem, the code behind countless apps and websites. The attacker gained access to the NPM account of a well-known developer (qix) and pushed malicious updates to popular libraries like chalk, strip-ansi, and color-convert.
These libraries are building blocks that many apps depend on. Together, they see more than a billion downloads every week, meaning the impact is widespread.
NPM’s security team has removed many of the malicious versions, but any apps that already installed or cached them may still be at risk.
Who Is Affected
Anyone using apps, wallets, or browser extensions built with these JavaScript libraries could be exposed. Developers are strongly advised to check their projects for the compromised packages.
The affected libraries include chalk, strip-ansi, color-convert, color-name, is-core-module, error-ex, simple-swizzle, and has-ansi. These are not obscure tools but widely used across the internet, which is why the threat is being taken so seriously.
How the Malware Steals Crypto
The malware’s purpose is to steal cryptocurrency by swapping wallet addresses.
Here’s how it works:
- When a user pastes or approves a wallet address, the malware silently replaces it with an attacker’s address.
- If the user doesn’t notice, funds are sent to the attacker.
- In some cases, the malware can even intercept wallet transactions before they’re signed.
This type of attack is easy to miss, since the swapped address often looks visually similar to the original one.
What You Should Do Now
Security experts, including Ledger CTO Charles Guillemet, are urging users to be cautious with every transaction.
Here are immediate steps to protect yourself:
- Use a hardware wallet with clear signing and verify every recipient address on the device screen.
- If you use a software wallet, double-check all addresses before confirming.
- Consider pausing on-chain transactions until you’ve audited your apps.
- Developers should reinstall dependencies and lock safe versions of the affected packages to prevent malicious updates from being pulled again.
Why It Matters
This incident highlights how vulnerable modern apps are to supply-chain hacks. A single compromised account can push malware into libraries that millions of developers and businesses rely on.
For crypto users, the lesson is simple: slow down when sending funds, always verify the destination address, and keep your apps updated. A few seconds of caution could mean the difference between a safe transaction and stolen funds.
