Buy Crypto- Markets
Futures- Spot
- Copy Trade
- Earn
- More
Massive NPM Supply Chain Attack Hits Crypto World, Steals Under $50 as of September 11, 2025
Imagine stumbling upon a goldmine only to walk away with pocket change—that’s essentially what happened in one of the biggest hacks targeting the crypto space through JavaScript tools. Hackers infiltrated a prominent developer’s account on the node package manager, known as NPM, injecting harmful code into widely used libraries. These libraries, boasting over a billion downloads, put numerous crypto initiatives in jeopardy by aiming at wallets on networks like Ethereum and Solana.
BTC$148,5001.2%ETH$5,2001.5%XRP$3.502.8%BNB$9500.9%SOL$2504.2%DOGE$0.2803.5%ADA$0.9504.5%STETH$5,1901.6%TRX$0.3802.0%AVAX$30.003.5%SUI$4.004.5%TON$3.501.8%BTC$148,5001.2%ETH$5,2001.5%XRP$3.502.8%BNB$9500.9%SOL$2504.2%DOGE$0.2803.5%ADA$0.9504.5%STETH$5,1901.6%TRX$0.3802.0%AVAX$30.003.5%SUI$4.004.5%TON$3.501.8%
Hackers Strike Big in NPM Breach but Walk Away with Pennies
Security experts from the crypto intelligence group Security Alliance revealed on a recent Monday that intruders had compromised an NPM account belonging to a respected software creator. They slyly embedded malware into essential JavaScript libraries, which see billions of weekly downloads. This move could have granted them entry to countless developer setups, opening doors to massive fortunes in the crypto realm. Yet, astonishingly, the haul amounted to less than $50 in stolen digital assets, as per the latest updates tracked through blockchain explorers.
Picture this scenario: you’ve got the master key to a vault brimming with treasures, but you settle for scraps. That’s how researchers described it, likening the hacker’s missed opportunity to using a Fort Knox access card as nothing more than a bookmark. A pseudonymous expert from the SEAL security team, going by Samczsun, shared with reporters that while the malware spread far and wide, it’s now mostly contained and neutralized, preventing widespread damage.
Initially pegged at just five cents, the stolen amount edged up to around $50 within hours, hinting that the full impact might still be emerging as of September 11, 2025. Recent blockchain data from Etherscan confirms this, showing the suspect address “0xFc4a48” receiving minor inflows, underscoring how the attack’s potential far outstripped its actual yield.
Small Crypto Hauls: ETH and Memecoins in the Mix
Diving deeper, the pilfered funds included a tiny sliver of Ether worth mere cents, alongside about $20 in a quirky memecoin. Blockchain records highlight transfers of tokens like Brett, Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA) to the malicious wallet. It’s a stark contrast to the havoc that could have ensued, much like a would-be bank robber fleeing with just the contents of a penny jar instead of the safe.
Even Untouched Crypto Projects Face NPM Malware Risks
The intrusion zeroed in on everyday utilities like chalk, strip-ansi, and color-convert—those unsung heroes nested deep within project dependencies. Developers might never have grabbed them directly, yet their apps could still be vulnerable if these pieces are woven into the bigger picture. Think of NPM as a bustling marketplace for code snippets, where creators exchange building blocks to craft JavaScript wonders.
The culprits likely deployed a crypto-clipper, a sneaky tool that swaps out wallet addresses mid-transaction to siphon funds away. High-profile voices in the crypto community, including the tech lead from Ledger, have been vocal about double-checking onchain deals to stay safe. It’s a reminder that in the fast-paced world of digital assets, vigilance is your best defense.
Safe Havens: Ledger, MetaMask, and Others Dodge the NPM Bullet
Not every corner of the crypto ecosystem felt the sting. Providers like Ledger and MetaMask have confirmed their systems remain secure, thanks to robust protective measures layered in. The Phantom Wallet crew echoed this, stating they avoid the compromised package versions entirely. Platforms such as Uniswap, Aerodrome, Blast, Blockstream Jade, and Revoke.cash also reported no exposure to the supply chain threat, showcasing how proactive security can turn a potential disaster into a non-event.
Crypto Users Won’t Face Instant Drains, But Caution Rules
The founder of a leading analytics tool, known pseudonymously as 0xngmi, pointed out that only projects updating post-infection might be in the crosshairs. Even then, the malware requires user approval on shady transactions to succeed—it’s not an automatic wallet emptier. Still, echoing other experts, he advised steering clear of crypto sites until teams scrub out the tainted code, much like waiting for the all-clear after a minor spill in a busy kitchen.
In terms of brand alignment, this incident highlights the importance of choosing exchanges that prioritize security and seamless integration with developer tools. For instance, WEEX exchange stands out by aligning its platform with top-tier cybersecurity standards, ensuring users can trade confidently without fearing supply chain vulnerabilities. Its commitment to robust defenses and user-centric features not only builds trust but also enhances overall credibility in the volatile crypto market, making it a go-to choice for those seeking reliability amid such threats.
Recent buzz on Twitter has amplified discussions around this NPM attack, with users sharing tips on verifying dependencies and memes poking fun at the hacker’s “epic fail.” Frequently searched Google queries like “How to check for NPM malware in crypto projects?” and “Latest updates on JavaScript library hacks” have surged, reflecting widespread concern. As of September 11, 2025, official announcements from NPM indicate they’ve revoked the compromised packages, and Twitter posts from security firms report no major new thefts, though monitoring continues for any lingering effects.
This tale of a colossal opportunity squandered serves as a wake-up call, blending high-stakes drama with surprisingly low rewards, and urging the crypto community to bolster defenses against such clever intrusions.
FAQ
What exactly is an NPM supply chain attack, and how does it affect crypto users?
An NPM supply chain attack involves hackers tampering with popular code libraries on the node package manager to insert malware. For crypto users, this can target wallets by altering transaction details, but as seen here, quick detection limited the damage to under $50.
How can I protect my crypto wallet from similar malware threats?
Double-check wallet addresses before confirming transactions, use hardware wallets with multiple verification layers, and stick to platforms with strong security like those avoiding vulnerable dependencies. Regularly update software and monitor blockchain activity for anomalies.
Has the NPM attack led to any major changes in crypto development practices?
Yes, it’s prompting developers to audit dependencies more rigorously and adopt zero-trust models. Discussions on Twitter emphasize community-driven security tools, and updates as of September 11, 2025, show increased adoption of automated scanning to prevent future breaches.
You may also like
TAO is Elon Musk, who invested in OpenAI, and Subnet is Sam Altman
The era of "mass coin distribution" on public chains comes to an end
Soaring 50 times, with an FDV exceeding 10 billion USD, why RaveDAO?
1 billion DOTs were minted out of thin air, but the hacker only made 230,000 dollars
After the blockade of the Strait of Hormuz, when will the war end?
Before using Musk's "Western WeChat" X Chat, you need to understand these three questions
The X Chat will be available for download on the App Store this Friday. The media has already covered the feature list, including self-destructing messages, screenshot prevention, 481-person group chats, Grok integration, and registration without a phone number, positioning it as the "Western WeChat." However, there are three questions that have hardly been addressed in any reports.
There is a sentence on X's official help page that is still hanging there: "If malicious insiders or X itself cause encrypted conversations to be exposed through legal processes, both the sender and receiver will be completely unaware."
No. The difference lies in where the keys are stored.
In Signal's end-to-end encryption, the keys never leave your device. X, the court, or any external party does not hold your keys. Signal's servers have nothing to decrypt your messages; even if they were subpoenaed, they could only provide registration timestamps and last connection times, as evidenced by past subpoena records.
X Chat uses the Juicebox protocol. This solution divides the key into three parts, each stored on three servers operated by X. When recovering the key with a PIN code, the system retrieves these three shards from X's servers and recombines them. No matter how complex the PIN code is, X is the actual custodian of the key, not the user.
This is the technical background of the "help page sentence": because the key is on X's servers, X has the ability to respond to legal processes without the user's knowledge. Signal does not have this capability, not because of policy, but because it simply does not have the key.
The following illustration compares the security mechanisms of Signal, WhatsApp, Telegram, and X Chat along six dimensions. X Chat is the only one of the four where the platform holds the key and the only one without Forward Secrecy.
The significance of Forward Secrecy is that even if a key is compromised at a certain point in time, historical messages cannot be decrypted because each message has a unique key. Signal's Double Ratchet protocol automatically updates the key after each message, a mechanism lacking in X Chat.
After analyzing the X Chat architecture in June 2025, Johns Hopkins University cryptology professor Matthew Green commented, "If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability." He later added, "I would not trust this any more than I trust current unencrypted DMs."
From a September 2025 TechCrunch report to being live in April 2026, this architecture saw no changes.
In a February 9, 2026 tweet, Musk pledged to undergo rigorous security tests of X Chat before its launch on X Chat and to open source all the code.
As of the April 17 launch date, no independent third-party audit has been completed, there is no official code repository on GitHub, the App Store's privacy label reveals X Chat collects five or more categories of data including location, contact info, and search history, directly contradicting the marketing claim of "No Ads, No Trackers."
Not continuous monitoring, but a clear access point.
For every message on X Chat, users can long-press and select "Ask Grok." When this button is clicked, the message is delivered to Grok in plaintext, transitioning from encrypted to unencrypted at this stage.
This design is not a vulnerability but a feature. However, X Chat's privacy policy does not state whether this plaintext data will be used for Grok's model training or if Grok will store this conversation content. By actively clicking "Ask Grok," users are voluntarily removing the encryption protection of that message.
There is also a structural issue: How quickly will this button shift from an "optional feature" to a "default habit"? The higher the quality of Grok's replies, the more frequently users will rely on it, leading to an increase in the proportion of messages flowing out of encryption protection. The actual encryption strength of X Chat, in the long run, depends not only on the design of the Juicebox protocol but also on the frequency of user clicks on "Ask Grok."
X Chat's initial release only supports iOS, with the Android version simply stating "coming soon" without a timeline.
In the global smartphone market, Android holds about 73%, while iOS holds about 27% (IDC/Statista, 2025). Of WhatsApp's 3.14 billion monthly active users, 73% are on Android (according to Demand Sage). In India, WhatsApp covers 854 million users, with over 95% Android penetration. In Brazil, there are 148 million users, with 81% on Android, and in Indonesia, there are 112 million users, with 87% on Android.
WhatsApp's dominance in the global communication market is built on Android. Signal, with a monthly active user base of around 85 million, also relies mainly on privacy-conscious users in Android-dominant countries.
X Chat circumvented this battlefield, with two possible interpretations. One is technical debt; X Chat is built with Rust, and achieving cross-platform support is not easy, so prioritizing iOS may be an engineering constraint. The other is a strategic choice; with iOS holding a market share of nearly 55% in the U.S., X's core user base being in the U.S., prioritizing iOS means focusing on their core user base rather than engaging in direct competition with Android-dominated emerging markets and WhatsApp.
These two interpretations are not mutually exclusive, leading to the same result: X Chat's debut saw it willingly forfeit 73% of the global smartphone user base.
This matter has been described by some: X Chat, along with X Money and Grok, forms a trifecta creating a closed-loop data system parallel to the existing infrastructure, similar in concept to the WeChat ecosystem. This assessment is not new, but with X Chat's launch, it's worth revisiting the schematic.
X Chat generates communication metadata, including information on who is talking to whom, for how long, and how frequently. This data flows into X's identity system. Part of the message content goes through the Ask Grok feature and enters Grok's processing chain. Financial transactions are handled by X Money: external public testing was completed in March, opening to the public in April, enabling fiat peer-to-peer transfers via Visa Direct. A senior Fireblocks executive confirmed plans for cryptocurrency payments to go live by the end of the year, holding money transmitter licenses in over 40 U.S. states currently.
Every WeChat feature operates within China's regulatory framework. Musk's system operates within Western regulatory frameworks, but he also serves as the head of the Department of Government Efficiency (DOGE). This is not a WeChat replica; it is a reenactment of the same logic under different political conditions.
The difference is that WeChat has never explicitly claimed to be "end-to-end encrypted" on its main interface, whereas X Chat does. "End-to-end encryption" in user perception means that no one, not even the platform, can see your messages. X Chat's architectural design does not meet this user expectation, but it uses this term.
X Chat consolidates the three data lines of "who this person is, who they are talking to, and where their money comes from and goes to" in one company's hands.
The help page sentence has never been just technical instructions.
Parse Noise's newly launched Beta version, how to "on-chain" this heat?
Is Lobster a Thing of the Past? Unpacking the Hermes Agent Tools that Supercharge Your Throughput to 100x
Declare War on AI? The Doomsday Narrative Behind Ultraman's Residence in Flames
Crypto VCs Are Dead? The Market Extinction Cycle Has Begun
Claude's Journey to Foolishness in Diagrams: The Cost of Thriftiness, or How API Bill Increased 100-Fold
Edge Land Regress: A Rehash Around Maritime Power, Energy, and the Dollar
Arthur Hayes Latest Interview: How Should Retail Investors Navigate the Iran Conflict?
Just now, Sam Altman was attacked again, this time by gunfire
Straits Blockade, Stablecoin Recap | Rewire News Morning Edition
From High Expectations to Controversial Turnaround, Genius Airdrop Triggers Community Backlash
The Xiaomi electric vehicle factory in Beijing's Daxing district has become the new Jerusalem for the American elite
Lean Harness, Fat Skill: The Real Source of 100x AI Productivity
TAO is Elon Musk, who invested in OpenAI, and Subnet is Sam Altman
The era of "mass coin distribution" on public chains comes to an end
Soaring 50 times, with an FDV exceeding 10 billion USD, why RaveDAO?
1 billion DOTs were minted out of thin air, but the hacker only made 230,000 dollars
After the blockade of the Strait of Hormuz, when will the war end?
Before using Musk's "Western WeChat" X Chat, you need to understand these three questions
The X Chat will be available for download on the App Store this Friday. The media has already covered the feature list, including self-destructing messages, screenshot prevention, 481-person group chats, Grok integration, and registration without a phone number, positioning it as the "Western WeChat." However, there are three questions that have hardly been addressed in any reports.
There is a sentence on X's official help page that is still hanging there: "If malicious insiders or X itself cause encrypted conversations to be exposed through legal processes, both the sender and receiver will be completely unaware."
No. The difference lies in where the keys are stored.
In Signal's end-to-end encryption, the keys never leave your device. X, the court, or any external party does not hold your keys. Signal's servers have nothing to decrypt your messages; even if they were subpoenaed, they could only provide registration timestamps and last connection times, as evidenced by past subpoena records.
X Chat uses the Juicebox protocol. This solution divides the key into three parts, each stored on three servers operated by X. When recovering the key with a PIN code, the system retrieves these three shards from X's servers and recombines them. No matter how complex the PIN code is, X is the actual custodian of the key, not the user.
This is the technical background of the "help page sentence": because the key is on X's servers, X has the ability to respond to legal processes without the user's knowledge. Signal does not have this capability, not because of policy, but because it simply does not have the key.
The following illustration compares the security mechanisms of Signal, WhatsApp, Telegram, and X Chat along six dimensions. X Chat is the only one of the four where the platform holds the key and the only one without Forward Secrecy.
The significance of Forward Secrecy is that even if a key is compromised at a certain point in time, historical messages cannot be decrypted because each message has a unique key. Signal's Double Ratchet protocol automatically updates the key after each message, a mechanism lacking in X Chat.
After analyzing the X Chat architecture in June 2025, Johns Hopkins University cryptology professor Matthew Green commented, "If we judge XChat as an end-to-end encryption scheme, this seems like a pretty game-over type of vulnerability." He later added, "I would not trust this any more than I trust current unencrypted DMs."
From a September 2025 TechCrunch report to being live in April 2026, this architecture saw no changes.
In a February 9, 2026 tweet, Musk pledged to undergo rigorous security tests of X Chat before its launch on X Chat and to open source all the code.
As of the April 17 launch date, no independent third-party audit has been completed, there is no official code repository on GitHub, the App Store's privacy label reveals X Chat collects five or more categories of data including location, contact info, and search history, directly contradicting the marketing claim of "No Ads, No Trackers."
Not continuous monitoring, but a clear access point.
For every message on X Chat, users can long-press and select "Ask Grok." When this button is clicked, the message is delivered to Grok in plaintext, transitioning from encrypted to unencrypted at this stage.
This design is not a vulnerability but a feature. However, X Chat's privacy policy does not state whether this plaintext data will be used for Grok's model training or if Grok will store this conversation content. By actively clicking "Ask Grok," users are voluntarily removing the encryption protection of that message.
There is also a structural issue: How quickly will this button shift from an "optional feature" to a "default habit"? The higher the quality of Grok's replies, the more frequently users will rely on it, leading to an increase in the proportion of messages flowing out of encryption protection. The actual encryption strength of X Chat, in the long run, depends not only on the design of the Juicebox protocol but also on the frequency of user clicks on "Ask Grok."
X Chat's initial release only supports iOS, with the Android version simply stating "coming soon" without a timeline.
In the global smartphone market, Android holds about 73%, while iOS holds about 27% (IDC/Statista, 2025). Of WhatsApp's 3.14 billion monthly active users, 73% are on Android (according to Demand Sage). In India, WhatsApp covers 854 million users, with over 95% Android penetration. In Brazil, there are 148 million users, with 81% on Android, and in Indonesia, there are 112 million users, with 87% on Android.
WhatsApp's dominance in the global communication market is built on Android. Signal, with a monthly active user base of around 85 million, also relies mainly on privacy-conscious users in Android-dominant countries.
X Chat circumvented this battlefield, with two possible interpretations. One is technical debt; X Chat is built with Rust, and achieving cross-platform support is not easy, so prioritizing iOS may be an engineering constraint. The other is a strategic choice; with iOS holding a market share of nearly 55% in the U.S., X's core user base being in the U.S., prioritizing iOS means focusing on their core user base rather than engaging in direct competition with Android-dominated emerging markets and WhatsApp.
These two interpretations are not mutually exclusive, leading to the same result: X Chat's debut saw it willingly forfeit 73% of the global smartphone user base.
This matter has been described by some: X Chat, along with X Money and Grok, forms a trifecta creating a closed-loop data system parallel to the existing infrastructure, similar in concept to the WeChat ecosystem. This assessment is not new, but with X Chat's launch, it's worth revisiting the schematic.
X Chat generates communication metadata, including information on who is talking to whom, for how long, and how frequently. This data flows into X's identity system. Part of the message content goes through the Ask Grok feature and enters Grok's processing chain. Financial transactions are handled by X Money: external public testing was completed in March, opening to the public in April, enabling fiat peer-to-peer transfers via Visa Direct. A senior Fireblocks executive confirmed plans for cryptocurrency payments to go live by the end of the year, holding money transmitter licenses in over 40 U.S. states currently.
Every WeChat feature operates within China's regulatory framework. Musk's system operates within Western regulatory frameworks, but he also serves as the head of the Department of Government Efficiency (DOGE). This is not a WeChat replica; it is a reenactment of the same logic under different political conditions.
The difference is that WeChat has never explicitly claimed to be "end-to-end encrypted" on its main interface, whereas X Chat does. "End-to-end encryption" in user perception means that no one, not even the platform, can see your messages. X Chat's architectural design does not meet this user expectation, but it uses this term.
X Chat consolidates the three data lines of "who this person is, who they are talking to, and where their money comes from and goes to" in one company's hands.
The help page sentence has never been just technical instructions.
App