Sign in Subscribe

Former WhatsApp Employee: Largest Supply Chain Attack in History Earned Hackers Less Than $1,000

Former WhatsApp Employee: Largest Supply Chain Attack in History Earned Hackers Less Than $1,000

The largest supply chain attack in the history of the npm ecosystem affected an estimated 10% of cloud environments. Despite the scale, researchers say the attackers made virtually no financial gain.

The incident occurred earlier this week and targeted about 20 of the most widely used npm packages, collectively responsible for more than 2.6 billion weekly downloads. Among them were popular libraries such as chalk, debug, and ansi-styles.

How the Attack Began

According to investigators, the breach started when attackers compromised the credentials of maintainer and developer Josh Junon (known online as Qix) through a phishing campaign. Once inside, the attackers published new versions of popular npm packages containing malicious code designed to steal cryptocurrency. The code attempted to redirect victims’ digital assets to wallets controlled by the attackers.

The malicious updates were detected quickly by the community, and all compromised packages were removed within a few hours.

Scale of the Breach

Analysts from Wiz report that at least one or several of the affected packages—core dependencies in nearly every JavaScript and Node.js project—were used in 99% of cloud environments. During the short time the malicious versions were live, they were downloaded into roughly 10% of those environments.

“During the two-hour window when the malicious versions were available on npm, the code successfully infiltrated every tenth cloud environment. This shows how quickly supply chain attacks can spread,” the researchers wrote.

While the disruption forced companies to spend significant time on recovery and auditing, the actual security impact—and the attackers’ profits—remained small.

Why the Hackers Earned Almost Nothing

Researchers from the Security Alliance found that the embedded malware primarily targeted browser environments. It intercepted requests to sign Ethereum and Solana transactions, swapping legitimate recipient addresses with attacker-controlled ones.

  • For Ethereum, the code checked for the presence of window.ethereum and then altered basic transaction functions such as approve, permit, transfer, and transferFrom. Redirected funds were sent to the wallet address 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976.
  • For Solana, the malware replaced recipient addresses with a malformed string beginning with “1911…”, which effectively broke the transfers rather than completing them.

Early analysis suggested the attackers mistakenly substituted addresses belonging to Uniswap and other swap contracts, rather than their own wallets. As a result, the financial gain amounted to only a few cents to about $50.

Follow-On Attacks

Shortly after, researchers at Socket reported that the same threat actors compromised the account of a DuckDB maintainer and injected the same malicious payload into that project’s packages.

Even with this second campaign, the attackers netted just $429 in Ethereum, $46 in Solana, and minor amounts in Bitcoin, Tron, Bitcoin Cash, and Litecoin—for a total of around $600.

Missed Opportunity for Greater Damage

Experts point out that the attackers’ decision to pursue simple cryptojacking ultimately spared companies from more severe consequences. With the access they gained, the threat actors could have deployed reverse shells, moved laterally through networks, or launched ransomware and destructive payloads.

Instead, what could have been a catastrophic supply chain event ended as one of the most disruptive yet least profitable hacks in recent memory.

Read next