Malware in NPM packages steals cryptocurrencies to users around the world, alert CTO de Ledger

The cto of Ledger alert on a safety gap and the diffusion of large -scale malware, which compromises widely used packages in JavaScript, which could now be used to steal cryptocurrencies during transactions.

***

• An attack committed the Qix developer account in NPM, infecting mass -use packages.
• Affected libraries total more than 1,000 million weekly discharges.
• Malware is sophisticated “Crypto-Clipper” Designed to steal cryptocurrencies.

Charles Guillement, Cto de Ledger, He alerted the entire crypto community about a large -scale vulnerability present in the ecosystem of JavaScript, which would be used by bad actors to get the cryptocurrencies of users of physical and digital wallets.

In a message posted on its X account, Guillement alerts about vulnerability, indicating that the account NPM of a renowned developer was compromised, and this resulted in the dissemination of many affected packages that have already been downloaded “More than one billion times”, putting the entire ecosystem of JavaScript, especially affecting crypto users who perform operations.

In this regard, Guillement indicates that the malicious code “It works silently exchanging cryptographic directions on the march to steal funds.” Therefore, he warns that if the user uses a physical wallet, “You must pay attention to each transaction before signing and being sure”. In case it is a digital wallet, he recommends refraining from operations.

Regarding vulnerability, the manager of Ledger Share a report where more technical details are offered. The same details that malicious versions of packages were published as “Chalk, Strip-Ansi, Color-Convert and IS-Core-Module“, Which have been widely discharged and used, so the impact could be devastating.

“These libraries are not marginal tools, but fundamental blocks that are deeply integrated in most modern web projects. Together, they record more than 1,000 million weekly discharges, which makes this attack a threat of global scale,” Indicates the report.

Technical details: how everything started

The discovery did not occur with an obvious alert, but with an error in a continuous integration flow (CI/CD). A simple exception, REFERENCEERROR: FETCH IS NOT DEFINEDhe aroused the curiosity of the affected developers.

When investigating, they found that the agency Error -Ex It had been updated from the stable version 1.3.2 to a suspicious version 1.3.3. While the first contained just a clean line of code, the new one included hundreds of obfuscated lines, designed to hide its true function. Among them, a call with alarming name: Checkthereumw.

After analyzing the code, The researchers discovered that it was a “Crypto-Clipper”a malware specialized in stealing cryptocurrency funds. The attack is based on two complementary methods:

1. Passive address interception: The software modifies the native functions of Fetch and XMLHTTPREQUEST In browsers to intercept data. With a list of attacker controlled addresses in BTC, ETH, Sun, TRX, LTC and BCHreplaces user legitimate ones with the most similar visually by Levenchtein.

2. Active transaction manipulation: If it detects the presence of a wallet as Metamk, intercept applications such as eth_sendtransaction. The malware replaces the address of the recipient within the transaction before the user firm it, diverting the funds to the attacker.

The ingenuity of the code lies in the ability to deceive the human eye, making it difficult for a user to notice the alteration before approving a transaction.

The magnitude of the threat

The analysis confirmed that multiple critical libraries had been compromised. The figures are alarming: Chalk record 300 million weekly downloads, Strip-Ansi exceeds 260 million and Color-convert Broken the 200 million. In total, affected packages represent more than 1,070 million downloads per week.

This implies that the attack surface covers from small projects to corporate applications and large -scale services. The transparency of the block chains allowed to identify addresses of the attackers, such as the 0xFC4A4858BAFEF54D1B1D7697BBB5C52F4C166976 in Ethereum, with public activity in Etherscan.

Urgent protection measures

The incident highlights the fragility of the software supply chain and the need for proactive security measures. Experts recommend immediate steps:

• Wear NPC CI In construction channelsto ensure facilities based only on the file package-lock.json.

• Force safe versions of dependencies through the function Overrides in package.jsonguaranteeing that only unwritten versions are installed.

• Audit units routinelyusing tools such as NPM Audit, Snyk or Dependabot.

The attack shows that even a lower compilation error can be the track of a systemic problem. Confidence in open software requires continuous surveillance and reinforced validation processes.

For now, the community is recommended to meet the exposed considerations and avoid operations until the associated problems are solved.

This is a development news.

Written article with the help of an AI content editor, edited by Angel Di Matteo / Diariobitcoin

Original image of Diariobitcoin, created with artificial intelligence, for free use, licensed under public domain.

WARNING: Diariobitcoin offers informative and educational content on various topics, including cryptocurrencies, AI, technology and regulations. We do not provide financial advice. Cryptactive investments are high risk and may not be adequate for all. Investigate, consult an expert and verify the applicable legislation before investing. I could lose all its capital.

Subscribe to our newsletter