Major NPM attack steals only $1K as “blueprint for future Web3 fraud” evolves
While criminals behind the major NPM-related attack managed to steal only around $1,100 worth of crypto assets in four days, the scope of the campaign is expanding, sending a warning about a "blueprint for future Web3 fraud."
Data from Arkham Intelligence shows that the authors of the NPM supply chain attack, designed to steal crypto assets by replacing legitimate transaction addresses, stopped receiving stolen funds two days ago. In all, the thieves only managed to net $1,100 worth of ethereum (ETH), solana (SOL), and several other altcoins.
However, JFrog Security reports it also detected that DuckDB, an analytical in-process SQL database management system, was compromised one day after the NPM attack.
DuckDB confirmed that it has deprecated the affected packages and released new versions.
"Thankfully, according to npm, nobody has downloaded the affected versions," they added.
Still, security experts at Wiz warned that organizations "should treat the affected list as evolving, and assume that malicious versions of popular packages are still available for download and might be automatically included in development pipelines."
The affected NPM versions were available for download for two hours.
Meanwhile, it appears more NPM developers were targeted. According to crypto security firm SlowMist, discussions among developers show that many also received phishing emails, all prompting them to "update two-factor authentication information."
Wiz concluded that applications using the affected packages exclusively server-side (Node-only) are at lower risk.
"Whereas any environment that serves the tainted JavaScript to end-users is at some level of risk, with the highest level of risk reserved for any applications that incorporate cryptocurrency wallet or payment flows (dApps, tipping/donation widgets, embedded web3 components, checkouts, etc.), " they added, urging teams to "validate against your registry/mirror and keep blocklists current," as the list of affected packages should be treated as evolving.
Another crypto security specialist, Cyvers, emphasized that the industry isn’t just vulnerable on-chain but increasingly through the Web2 stack. Attackers now poison JavaScript libraries, compromise cloud infrastructure, embed payloads in CI/CD tools, and hijack frontend code to manipulate address displays.
"It’s a blueprint for future Web3 fraud – blending trust, timing, and technology to extract value invisibly," they warned.
Unlock more exclusive Cybernews content on YouTube.
