I can’t say I’ve ever seen an attack on crypto, on digital sovereignty itself, of this magnitude. It blows my mind to imagine how many people may have been robbed in just a few hours.
The problem with news like this is that it gets too technical, and most people tune it out. “That’s for nerds,” they say. But this time it affects us all, and we should understand exactly how it happened — and how to protect ourselves.
The order of events is still a little murky, and I’ll admit I don’t fully buy the idea that the maintainer who was “hacked” is completely innocent. Something about it smells fishy, and I know fish — I live next to the ocean.
So what happened? A package maintainer (that’s what you call them, right?) got phished, and a hacker slipped malware into his npm account. That malicious code was published as new versions of some incredibly popular JavaScript packages. Unsuspecting developers, just doing their normal updates, pulled the poisoned versions right into their projects.
The list is long — 18 packages in total. And no, it wasn’t caught in time. For a short window, apps were shipping malware. The way it worked was nasty: if your wallet or app had one of these infected packages in its guts, it could intercept your crypto transactions. You’d think you were sending tokens to Alice — but the package would silently swap the address and send them to the attacker instead.
It was @spiritsurge who first raised the alarm. At first I thought I was safe. But the more I read, the more uneasy I felt. What if I wasn’t good?
So I audited my stuff — and sure enough, I had one of the compromised packages. How delightful.
In my case it was ansi-styles, usually just a boring little helper that adds color to terminal text. But the hijacked version wasn’t harmless. It sat there watching for window.fetch or XMLHttpRequest calls, waiting to hijack wallet interactions. Thankfully, Snapie doesn’t handle wallet functions, so we dodged the bullet.
Still — crazy few days. I wish I could say the person who did this will face real consequences, but it doesn’t look like that’s happening.
Another round in the timeless battle between good and evil.
MenO