The world’s largest crypto exchange by trading volume, Binance, reassured customers on Tuesday that no user data or assets were compromised during one of the largest supply chain attacks ever to hit the JavaScript ecosystem.Â
According to a statement posted on X, Binance stated no harm was done to its database during a breach that targeted widely used Node.js packages involved in over 2 billion weekly app downloads.
“We’re aware of the recent supply chain attack, which published malicious versions of several widely used JavaScript packages,” the company wrote. “After investigation, we’ve confirmed we were not impacted and no customer data or assets are at risk. Security remains our top priority, this compromise is a reminder of how critical supply chain security is. Stay SAFU.”
Speaking about the supply chain attack on the social platform, co-founder Changpeng Zhao, also known as CZ, remarked, “Even open-source software is not safe these days. Web3 will redefine security for Web2. We are still early.”
Supply chain attack on JavaScript packages scares crypto investors
The attack, which security researchers have called one of the largest in NPM’s history, took place on September 8. Hackers compromised the account of a trusted open-source maintainer known by the handle “qix,” also identified as Josh Junon.Â
The attackers tricked Junon through a phishing email impersonating official communications from npmjs, the central repository for JavaScript packages. As seen in the fraudulent email, the perpetrators convinced Junon that his account would be locked on September 10, 2025, unless he immediately updated his two-factor authentication credentials.Â
“As part of our ongoing commitment to account security, we are requesting that all users update their Two-Factor Authentication (2FA) credentials. Our records indicate it has been over 12 months since your last 2FA update,” the email read.
Junon confirmed on X that he had fallen victim to the phishing scheme after another maintainer revealed his NPM account was “posting packages with backdoors,” which enabled attackers to hijack his account and push malicious updates to 18 popular Node.js libraries.Â
The packages included chalk, debug, ansi-styles, and strip-ansi, all of which are embedded in the web.
Malicious code targets crypto transactions
According to analysis by Aikido Security, the attackers injected code into the compromised packages that allowed them to act as browser-based interceptors. The code was slipped into the index.js files, where it could hijack network traffic and application APIs in any application using the tainted packages.
The malicious script monitors for wallet addresses and transactions of major digital assets, including Bitcoin, Ethereum, Solana, Tron, Litecoin, and Bitcoin Cash. Once detected, the malware silently replaced the destination wallet address with one controlled by the attackers, redirecting funds without the victim’s knowledge.
As covered by Cryptopolitan yesterday, the chief technology officer at hardware wallet maker Ledger, Charles Guillemet said the malicious code had already been propagated into packages with more than one billion downloads.
Blockchain analytics firm Arkham Intelligence reported late Monday that only $159 worth of cryptocurrency had been stolen so far. The stolen funds were traced to addresses identified in the original disclosures shared by Ledger’s security team.Â
However, researchers believe the low figure does not mean there will be limited potential damage, given the billions of downloads associated with the compromised packages.
