Threat Intelligence: Analysis of the Large-Scale NPM Package Poisoning Incident
Author: Joker & ccj
Editor: Liz
Background
In the early hours of September 9, 2025, a large-scale supply chain attack erupted in the NPM community, targeting the cryptocurrency industry. The incident affected multiple widely-used popular packages on the NPM platform, all authored by the same developer, qix. SlowMist’s self-developed Web3 threat intelligence and dynamic security monitoring tool, MistEye, responded immediately, quickly delivering relevant threat intelligence and providing critical security protection for users.
Key Points of the Attack
The attack originated from a phishing email received by developer qix, who reported that the attackers impersonated NPM officials. The email address used was support[@]npmjs[.]help.
qix also mentioned that the email’s subject was “Update Two-Factor Authentication Info”. The email contained a malicious link:
https[://]www[.]npmjs[.]help/settings/qix/tfa/manageTfa?action=setup-totp. Victims clicking “Update 2FA Now” would be redirected to this link.
Email content:
https://gist.github.com/Qix-/c1f0d4f0d359dffaeec48dbfa1d40ee9
Currently, this URL (https[://]www[.]npmjs[.]help) is no longer accessible and has been flagged as malicious on VirusTotal.
Discussions among other NPM developers show that many also received similar phishing emails, all prompting users to “update two-factor authentication information.”
From qix and other developers’ discussions, it is clear that this attack primarily involved phishing emails impersonating NPM officials. By tricking victims into updating their 2FA information, attackers took over the accounts and subsequently used the compromised accounts to publish NPM packages containing malicious code.
Analysis Process
Upon analyzing the compromised NPM packages, we identified highly obfuscated suspicious code in index.js. After deobfuscation and analysis, the malicious code’s main purpose was to steal users’ cryptocurrency, primarily through address replacement and transaction hijacking.
Address Replacement
The malicious code’s core logic is in the newdlocal() function, which performs address replacement using three sub-functions: f(), f2(), and f4().
f() implements the Levenshtein distance algorithm to measure string similarity. Its goal is to select the most visually similar address from the attacker’s preset address pool, replacing the original address to ensure that the cryptocurrency address displayed to the user is swapped with an attacker-controlled address.
f2() iterates through the address pool, using f() to determine which preset address is most similar to the original, returning the attacker address with the highest similarity.
f4() performs the actual replacement. The code first converts object vO to key-value pairs using Object.entries(), then scans for matching addresses. For matched addresses, f4() calls f2() to select the visually most similar attacker address and replace the original. Consequently, users see the attacker’s address in the UI, and funds could be stolen if copied directly for transfer.
Variables explained:
- vA, vA2…vA7: attacker’s cryptocurrency address pool
- vO: regex object containing multiple cryptocurrency address formats
Transaction Hijacking
The malicious code’s main logic resides in the runmask() function. This function continuously monitors wallet connection status using f8(). Once a wallet connection is detected, f7() is triggered to establish wallet hijacking.
f7() uses Object.defineProperty() to replace core methods of window.ethereum (request, send, sendAsync) with malicious proxy functions generated by f6(), while backing up original methods in a Map object to intercept all wallet interactions.
f6() modifies transaction parameters by calling f5(), depending on the transaction type:
- eth_sendTransaction: calls
f5(..., true)to alter transaction parameters - solana_signTransaction / solana_signAndSendTransaction: calls
f5(..., false)to replace public keys and recipient addresses
f5() implements specific parameter replacement logic:
For simple ETH transfers, the recipient address is replaced with 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976
For smart contract interactions, it parses the data field and replaces address parameters in common function signatures such as approve and transfer
For other calls, non-attacker addresses are replaced with attacker-controlled addresses
For Solana transactions, f5() replaces all addresses in instructions.accounts, keys.pubkey, and recipient/destination with 19111111111111111111111111111111
The attacker’s intent behind Solana address replacement remains unclear.
Conclusion
This attack highlights the severe risks posed by phishing emails combined with social engineering. SlowMist recommends developers remain highly vigilant regarding email sources and domains, avoiding direct clicks on suspicious links. Sensitive operations should be conducted through official websites in trusted environments.
Additionally, when building and releasing new iterations, developers should use dependency version locking. Security or functional updates should be applied through internal security audits, updating locked versions accordingly to prevent introducing new risks.
For more information on APT intelligence, dependency supply chain attacks, and other security data, consider using SlowMist’s MistEye Web3 threat intelligence and dynamic security monitoring tool to rapidly identify threats and block attacks.
Official Website: https://misteye.io/
Contact: https://www.slowmist.com/contact-us.html
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
