A large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further notice.
On September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and color-convert.
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm statistics.
Researchers Uncover Crypto-Clipper Malware Hidden in Popular npm Libraries
Security researchers quickly found that the new versions contained a “crypto-clipper” malware.
The payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ones.
In some cases, the malware actively hijacks wallet communications, modifying transactions before they are signed.
The attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated packages.
Analysis showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect funds.
The scale of the attack is unprecedented. Packages such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.
Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users worldwide.
In a post on X, Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed phrases.
The attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support team.
The fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September 10. Clicking the link redirected victims to a fake login page designed to steal credentials.
Once in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of applications.
Aikido Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without alerting users.
npm has since removed many of the compromised versions, but security experts warn that transitive dependencies make it difficult to ensure complete protection.
Developers are being urged to immediately audit their projects, pin safe versions of dependencies, and rebuild lockfiles.
The attack shows the fragility of the open-source ecosystem, which relies heavily on trust between maintainers and developers.
With billions of downloads affected and active wallet addresses linked to stolen funds already surfacing on-chain, researchers are describing the incident as one of the most severe supply chain compromises in the JavaScript ecosystem’s history.
Crypto Hacks Surge Past $3B in 2025 as Phishing and Laundering Tactics Escalate
The crypto sector is facing its most severe security crisis yet, with hackers stealing over $3 billion across 119 incidents in the first half of 2025, according to new data from blockchain analytics firm Global Ledger.
The figure is one and a half times greater than total losses in 2024, placing the industry on track to break annual records.
The report shows the speed of these attacks as a new threat. In some cases, stolen funds were moved within four seconds of an exploit, far faster than most exchange alert systems.
Nearly 70% of hacks saw funds moved before the breach became public, while one in four had assets fully laundered before any statement or alert was issued.
On average, it takes 37 hours for an incident to be publicly reported, leaving investigators trailing attackers who often cash out within minutes. Only 4.2% of stolen assets, around $126 million, were recovered in the first six months of the year.
Recent incidents underline the scale of the problem. In July, hackers infiltrated Brazil’s national payment system through provider C&M Software, stealing about $180 million from reserve accounts and quickly routing funds through crypto exchanges.
In June, hardware wallet maker Trezor warned of a phishing exploit that abused its customer support system to send fake emails requesting wallet backups.
Around the same time, CoinMarketCap and Cointelegraph suffered front-end compromises that pushed phishing pop-ups and fake airdrop promotions to users.
Despite the surge in attacks, bug bounty programs continue to show promise. Platforms like Immunefi report more than $120 million in payouts to white-hat hackers, preventing an estimated $25 billion in potential losses.
But with laundering times now measured in seconds, analysts warn the industry’s defenses are struggling to keep paceA large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further notice.
On September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and color-convert.
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm statistics.
Researchers Uncover Crypto-Clipper Malware Hidden in Popular npm Libraries
Security researchers quickly found that the new versions contained a “crypto-clipper” malware.
The payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ones.
In some cases, the malware actively hijacks wallet communications, modifying transactions before they are signed.
The attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated packages.
Analysis showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect funds.
The scale of the attack is unprecedented. Packages such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.
Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users worldwide.
In a post on X, Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed phrases.
The attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support team.
The fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September 10. Clicking the link redirected victims to a fake login page designed to steal credentials.
Once in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of applications.
Aikido Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without alerting users.
npm has since removed many of the compromised versions, but security experts warn that transitive dependencies make it difficult to ensure complete protection.
Developers are being urged to immediately audit their projects, pin safe versions of dependencies, and rebuild lockfiles.
The attack shows the fragility of the open-source ecosystem, which relies heavily on trust between maintainers and developers.
With billions of downloads affected and active wallet addresses linked to stolen funds already surfacing on-chain, researchers are describing the incident as one of the most severe supply chain compromises in the JavaScript ecosystem’s history.
Crypto Hacks Surge Past $3B in 2025 as Phishing and Laundering Tactics Escalate
The crypto sector is facing its most severe security crisis yet, with hackers stealing over $3 billion across 119 incidents in the first half of 2025, according to new data from blockchain analytics firm Global Ledger.
The figure is one and a half times greater than total losses in 2024, placing the industry on track to break annual records.
The report shows the speed of these attacks as a new threat. In some cases, stolen funds were moved within four seconds of an exploit, far faster than most exchange alert systems.
Nearly 70% of hacks saw funds moved before the breach became public, while one in four had assets fully laundered before any statement or alert was issued.
On average, it takes 37 hours for an incident to be publicly reported, leaving investigators trailing attackers who often cash out within minutes. Only 4.2% of stolen assets, around $126 million, were recovered in the first six months of the year.
Recent incidents underline the scale of the problem. In July, hackers infiltrated Brazil’s national payment system through provider C&M Software, stealing about $180 million from reserve accounts and quickly routing funds through crypto exchanges.
In June, hardware wallet maker Trezor warned of a phishing exploit that abused its customer support system to send fake emails requesting wallet backups.
Around the same time, CoinMarketCap and Cointelegraph suffered front-end compromises that pushed phishing pop-ups and fake airdrop promotions to users.
Despite the surge in attacks, bug bounty programs continue to show promise. Platforms like Immunefi report more than $120 million in payouts to white-hat hackers, preventing an estimated $25 billion in potential losses.
But with laundering times now measured in seconds, analysts warn the industry’s defenses are struggling to keep pace
“Avoid On-Chain Transactions”: Ledger CTO Issues Urgent Warning After JavaScript Attack
A large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further notice.
On September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and color-convert.
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm statistics.
Security researchers quickly found that the new versions contained a “crypto-clipper” malware.
The payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ones.
In some cases, the malware actively hijacks wallet communications, modifying transactions before they are signed.
The attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated packages.
Analysis showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect funds.
The scale of the attack is unprecedented. Packages such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.
Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users worldwide.
In a post on X, Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed phrases.
The attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support team.
The fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September 10. Clicking the link redirected victims to a fake login page designed to steal credentials.
Once in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of applications.
Aikido Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without alerting users.
npm has since removed many of the compromised versions, but security experts warn that transitive dependencies make it difficult to ensure complete protection.
Developers are being urged to immediately audit their projects, pin safe versions of dependencies, and rebuild lockfiles.
The attack shows the fragility of the open-source ecosystem, which relies heavily on trust between maintainers and developers.
With billions of downloads affected and active wallet addresses linked to stolen funds already surfacing on-chain, researchers are describing the incident as one of the most severe supply chain compromises in the JavaScript ecosystem’s history.
Crypto Hacks Surge Past $3B in 2025 as Phishing and Laundering Tactics Escalate
The crypto sector is facing its most severe security crisis yet, with hackers stealing over $3 billion across 119 incidents in the first half of 2025, according to new data from blockchain analytics firm Global Ledger.
The figure is one and a half times greater than total losses in 2024, placing the industry on track to break annual records.
The report shows the speed of these attacks as a new threat. In some cases, stolen funds were moved within four seconds of an exploit, far faster than most exchange alert systems.
Nearly 70% of hacks saw funds moved before the breach became public, while one in four had assets fully laundered before any statement or alert was issued.
On average, it takes 37 hours for an incident to be publicly reported, leaving investigators trailing attackers who often cash out within minutes. Only 4.2% of stolen assets, around $126 million, were recovered in the first six months of the year.
Recent incidents underline the scale of the problem. In July, hackers infiltrated Brazil’s national payment system through provider C&M Software, stealing about $180 million from reserve accounts and quickly routing funds through crypto exchanges.
In June, hardware wallet maker Trezor warned of a phishing exploit that abused its customer support system to send fake emails requesting wallet backups.
Around the same time, CoinMarketCap and Cointelegraph suffered front-end compromises that pushed phishing pop-ups and fake airdrop promotions to users.
Despite the surge in attacks, bug bounty programs continue to show promise. Platforms like Immunefi report more than $120 million in payouts to white-hat hackers, preventing an estimated $25 billion in potential losses.
But with laundering times now measured in seconds, analysts warn the industry’s defenses are struggling to keep pace.
Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.
You May Also Like
U.S. Moves Grip on Crypto Regulation Intensifies
The post U.S. Moves Grip on Crypto Regulation Intensifies appeared on BitcoinEthereumNews.com. The United States is contending with the intricacies of cryptocurrency regulation as newly enacted legislation stirs debate over centralized versus decentralized finance. The recent passage of the GENIUS Act under Bo Hines’ leadership is perceived to skew favor towards centralized entities, potentially disadvantaging decentralized innovations. Continue Reading:U.S. Moves Grip on Crypto Regulation Intensifies Source: https://en.bitcoinhaber.net/u-s-moves-grip-on-crypto-regulation-intensifies
Share
BitcoinEthereumNews2025/09/18 01:09
The Role of Blockchain in Building Safer Web3 Gaming Ecosystems
The gaming industry is in the midst of a historic shift, driven by the rise of Web3. Unlike traditional games, where developers and publishers control assets and dictate in-game economies, Web3 gaming empowers players with ownership and influence. Built on blockchain technology, these ecosystems are decentralized by design, enabling true digital asset ownership, transparent economies, and a future where players help shape the games they play.
However, as Web3 gaming grows, security becomes a focal point. The range of security concerns, from hacking to asset theft to vulnerabilities in smart contracts, is a significant issue that will undermine or erode trust in this ecosystem, limiting or stopping adoption. Blockchain technology could be used to create security processes around secure, transparent, and fair Web3 gaming ecosystems. We will explore how security is increasing within gaming ecosystems, which challenges are being overcome, and what the future of security looks like.
Why is Security Important in Web3 Gaming?
Web3 gaming differs from traditional gaming in that players engage with both the game and assets with real value attached. Players own in-game assets that exist as tokens or NFTs (Non-Fungible Tokens), and can trade and sell them. These game assets usually represent significant financial value, meaning security failure could represent real monetary loss.
In essence, without security, the promises of owning “something” in Web3, decentralized economies within games, and all that comes with the term “fair” gameplay can easily be eroded by fraud, hacking, and exploitation. This is precisely why the uniqueness of blockchain should be emphasized in securing Web3 gaming.
How Blockchain Ensures Security in Web3 Gaming?
- Immutable Ownership of Assets Blockchain records can be manipulated by anyone. If a player owns a sword, skin, or plot of land as an NFT, it is verifiably in their ownership, and it cannot be altered or deleted by the developer or even hacked. This has created a proven track record of ownership, providing control back to the players, unlike any centralised gaming platform where assets can be revoked.
- Decentralized Infrastructure Blockchain networks also have a distributed architecture where game data is stored in a worldwide network of nodes, making them much less susceptible to centralised points of failure and attacks. This decentralised approach makes it exponentially more difficult to hijack systems or even shut off the game’s economy.
- Secure Transactions with Cryptography Whether a player buys an NFT or trades their in-game tokens for other items or tokens, the transactions are enforced by cryptographic algorithms, ensuring secure, verifiable, and irreversible transactions and eliminating the risks of double-spending or fraudulent trades.
- Smart Contract Automation Smart contracts automate the enforcement of game rules and players’ economic exchanges for the developer, eliminating the need for intermediaries or middlemen, and trust for the developer. For example, if a player completes a quest that promises a reward, the smart contract will execute and distribute what was promised.
- Anti-Cheating and Fair Gameplay The naturally transparent nature of blockchain makes it extremely simple for anyone to examine a specific instance of gameplay and verify the economic outcomes from that play. Furthermore, multi-player games that enforce smart contracts on things like loot sharing or win sharing can automate and measure trustlessness and avoid cheating, manipulations, and fraud by developers.
- Cross-Platform Security Many Web3 games feature asset interoperability across platforms. This interoperability is made viable by blockchain, which guarantees ownership is maintained whenever assets transition from one game or marketplace to another, thereby offering protection to players who rely on transfers for security against fraud. Key Security Dangers in Web3 Gaming Although blockchain provides sound first principles of security, the Web3 gaming ecosystem is susceptible to threats. Some of the most serious threats include:
Share
Medium2025/09/18 14:40
Why your phone number shows as private and how to remove it
Table of contents How to remove private number on your Android How to remove private number on your iPhone (iOS) What to do if your number still shows as Private
Share
Techcabal2026/02/07 00:23