September 9, 2025
at
6:15 pm
EST
MIN READ
Hacker behind largest NPM compromise in history has stolen $500
It is being described as one of the largest supply chain attacks in history with multiple extremely popular NPM packages being compromised.
NPM is a Javascript software registry where developers share code for Javascript projects. The hackers compromised a trusted software developer called qix and embedded malicious code into packages that have billions of downloads per week.
The code was designed to first steal credentials and then steal crypto from wallets like MetaMask by replacing addresses when users make transactions.
Despite the sophistication of the attack, the hacker’s crypto address, which you can track on Arkham, currently has just $505 in its account.
The attacker’s current holdings consist mainly of memecoins but also a small amount of Solana. However, it could be the case that many of these memcoins were sent to the hacker’s address and weren't actually stolen.
Fortunately, the malicious code was identified early after a developer noticed a cryptic build failure. The number of devices and programs infected with the malicious code is likely very small. There are now tools available to track down infected programs and remove them and developers all over the world will still have a lot of work to do due to the popularity of the compromised Chalk and Debug libraries.
As crypto hacks go, this one has been consequential in terms of the number of affected parties but miniscule in terms of the value that has been stolen. Unlike the LuBian hacker, uncovered by Arkham last month, which was isolated to just one company but is likely the largest heist ever discovered.
The hack occurred in 2020 when LuBian, a Chinese mining pool with facilities in China and Iran, had 127,426 Bitcoin stolen by a mysterious hacker. At the time, this was worth $3.5 billion but now the stolen Bitcoin is worth $14.4 billion.
