Community reacts to attack that threatens cryptocurrency wallets

The revelation of a software supply chain attack sparked a wave of backlash in the crypto community. Researchers discovered malicious updates to NPM packages, a key tool for JavaScript development, raising concerns about the impact it could have on the security of millions of wallets.

The account of a well-known developer, identified as “qix,” was compromised, allowing the publication of altered versions of widely used libraries. Malware capable of detecting the presence of wallets such as MetaMask and manipulating transactions in real time was inserted into them.

As reported, the malicious code intercepts the data before it reaches the wallet, modifies the recipient’s address, and forwards the operation to the user, who, without warning, ends up signing shipments to addresses controlled by the attackers.

While the attack is primarily targeted at developers, the magnitude of the distribution of these packages makes it an indirect threat to millions of end-users, especially those who store cryptocurrencies in internet-connected wallets.

The news generated a strong impact on the community. Changpeng Zhao (CZ), former CEO of Binance, warned, “Even open-source software is no longer secure. Web3 will redefine security for Web2. We’re still at an early stage.”

With this comment, CZ stressed that trust in open source software does not guarantee immunity from vulnerabilities in the supply chain. Although these types of programs can be audited by the community, the magnitude of the ecosystem and the dependence on external libraries open doors to attacks that are difficult to detect.

Other actors called the attack one of the most severe in recent history. Quinten François, co-founder of weRate — a community review platform based on trust and authenticity — called it “the biggest supply chain hack ever seen,” noting that NPM is a tool used by millions of bitcoin and cryptocurrency apps and wallets globally.

François stressed that even hardware wallet users should carefully review each transaction before signing it and, following the recommendation of Ledger’s CTO, advised temporarily suspending on-chain transfers if they do not have this type of device.

Latin American specialists warn of the impact.

Warnings about the attack also emerged from Latin America. Specialists from the region emphasized the importance of adequately protecting the funds and taking extreme precautions. The analyst known as BtcAndres was blunt: “You should meticulously verify every character of the recipient’s address in your wallet app or on your hardware wallet screen before approving any transaction.”

It also said that the malicious script contains extensive lists of addresses belonging to the attackers, covering multiple cryptocurrencies, including bitcoin (BTC), ether (ETH), solana (SOL), litecoin (LTC), and bitcoin cash (BCH).

On his part, Manuel Ferrari, president of the NGO Bitcoin Argentina, recommended always verifying the complete address that appears on the device’s screen before signing a transaction, not limiting yourself to reviewing only the first or last characters. He recalled that, if a mistake is made and the funds are sent to the wrong address, there is no way to recover them: “In Bitcoin, there is no going back.”

Ferrari also suggested migrating to software that does not depend on NPM, such as Sparrow Wallet, and using it in conjunction with compatible hardware wallets, including Trezor, Ledger, BitBox, Jad, or Keystone. In the case of devices without a screen, such as BitKey or Tangem, he urged temporarily suspending operations until secure updates are released.

In the midst of the alerts for the attack, it is important to mention that the Cuba Bitcoin educational community reported that it received a batch of 10 Blockstream Jade hardware wallets, donated by the Mi Primer Bitcoin educational academy in El Salvador and by Blockstream.

These devices will be used to conduct self-custody workshops across the country, and according to the Blockstream team, their product “does not use JavaScript or NPM, so neither the app nor the Jade devices have been affected by the ongoing attack on NPM’s supply chain.” However, the company also asked to carefully verify addresses when sending and receiving funds.

Following the spread of the NPM supply chain attack, major bitcoin and crypto wallet companies issued statements assuring that their tools were not compromised. Ledger and Trezor confirmed that their custody devices do not include the vulnerable technologies.

Other popular wallets, such as Sparrow, Blockstream Jade, Wasabi, Electrum, ColdCard, SeedSigner, among many others, also reported that they remain unscathed. On the other hand, researcher Rani Haddad, using the Arkham Intelligence tracking platform, identified some wallets linked to the attacker, which show a total balance of just $500 distributed in various cryptocurrencies, indicating that the real economic impact was minimal.

The truth is that, although not all end users are directly affected, the episode makes it clear that the security of funds depends to a large extent on manual verification and the use of specialized devices. Prevention and attention to detail are, in these cases, the best defense against attacks that seek to exploit the ecosystem’s infrastructure.

In the case at hand, it is best to temporarily suspend on-chain operations. However, manually verifying each character of the recipient’s address remains valid advice at all times.