Crypto Hack: What Happened?
A widely used npm package, error-ex, was tampered with in its 1.3.3 release. Hidden inside was obfuscated code that activates two dangerous attack modes:
- Clipboard Hijacking: When you paste a wallet address, the malware silently swaps it with the attacker’s lookalike address.
- Transaction Interception: If you use a browser wallet, the code can intercept transaction calls and change the recipient’s address before you even see the confirmation screen.
This makes it nearly impossible to notice unless you carefully check every single character of the address you’re sending to.
Who’s at Risk from this Crypto Hack?
- Developers: Any project pulling dependencies without strict version pinning may have installed the infected version. This could affect CI pipelines, production builds, and apps that rely on JavaScript.
- Crypto Users: The malware targets major assets including $BTC, $ETH, $SOL, $TRX, $LTC, and $BCH. Both clipboard users and browser wallets are at risk.
- Platforms: Even centralized apps integrating npm libraries may have unknowingly included the malicious code.
Which Companies were Affected?
Already, SwissBorg confirmed a breach linked to a compromised partner API. Roughly 192.6K SOL (~$41.5M) was drained in the attack. While the SwissBorg app itself remains secure, its SOL Earn Program was hit, affecting <1% of users. The platform has promised recovery measures, including treasury funds and support from white-hat hackers.
How to Protect Yourself
Here’s what you need to do right now:
For Wallet Users
✅ Always verify every transaction — check the full recipient address before signing.
✅ Use a hardware wallet with clear signing enabled.
✅ Avoid unnecessary browser wallet extensions.
✅ If something feels off (unexpected signing requests), close the tab immediately.
For Developers
⚙️ Switch CI builds from npm install to npm ci to lock dependencies.
⚙️ Run npm ls error-ex to detect infected installs.
⚙️ Pin safe versions ([email protected]) and regenerate lockfiles.
⚙️ Add dependency scanners like Snyk or Dependabot.
⚙️ Treat package-lock changes with the same scrutiny as code reviews.
Outlook
This incident highlights the fragility of supply chains in Web3 and beyond. A small package compromise can cascade into billions of downloads, hitting both developers and crypto holders worldwide. The immediate danger lies in address-swapping attacks, but the broader concern is how deep this could spread into financial infrastructure.
For now: check before you sign, pin your dependencies, and don’t take security shortcuts.
Source: https://cryptoticker.io/en/breaking-massive-supply-chain-attack-hits-crypto-funds-at-risk/
