NPM attack drains only $500 worth of meme coins

The recently discovered supply chain attack only affected a few wallets, drawing out around $500 in various tokens. However, the injection of malicious code into npm JavaScript packages exposed a large potential vulnerability of crypto usage. 

The recent supply chain attack, which could potentially drain crypto wallets, did not end up stealing millions. Based on the aggregated wallets used in the attack, only around $500 in assets was affected in the fist 12 hours after the vulnerability was discovered. 

As Cryptopolitan reported, initially, users were urged to stop sending crypto. However, a global permissionless system could not be stopped, and the expectation was for significant losses.  

Based on Arkham Intelligence data, the npm attacker wallets only stole around 0.22 SOL and other meme tokens for around $497. In the past day, the crypto space saw even bigger losses from the SwissBorg exchange and other protocols. However, the supply chain attack is still considered dangerous, and the small losses are due to the fact that the attacker did not get hold of any large-scale transactions. 

Supply chain npm attack resembles the Bybit hack

The supply chain attack was somewhat similar to the Bybit hack, in changing the destination wallet at the last moment. The compromised front-end code could potentially divert assets from sites that used some of the tainted JavaScript packages. 

People don’t seem to understand the npm exploit. It’s like when Bybit lost a billion dollars to hackers through comrposing the Safe multisig user interface. Front end code on websites that used the malicious packages are compromised. So make sure to verify transactions carefully.

— Beanie (@beaniemaxi) September 8, 2025

In the case of the Bybit hack, the front end exploit was deliberate and limited, but the npm supply chain code injection has affected up to 2B weekly downloads. Early reports show the effects of the tainted npm packages were limited. 

Most of the major Web3 venues reported their code was safe and trading could continue. Most of the tokens stolen were on Ethereum, and included BRETT, DORKY, VISTA, and GONDOLA, with no ETH taken. 

The attack affected the wallets of some small-scale DEX traders and Uniswap liquidity providers, but not on a mass scale, showing the apps themselves were not compromised. The risk lay with the end client signing the transaction without sufficient manual verification. 

Is crypto still at risk from the npm attack?

Crypto wallets are generally at risk from supply chain attacks. However, the potential to steal tokens depends on the apps themselves, and on a relatively small time window to perform the exploit. 

The examples of malicious crypto-stealing code have been widely published, potentially protecting app developers. 

The attacks happened following new downloads, meaning the vulnerabilities were injected in a limited number of crypto apps. Hours after the attack, it was also clear MetaMask users were the most affected, with no targeting of the desktop wallet ecosystem.

Get up to $30,050 in trading rewards when you join Bybit today