‘Widespread’ Crypto Exploit That Created Panic Steals Only $1K From Users

A large-scale hacking exploit targeting JavaScript code with malware that raised alarms earlier this week has managed to steal only $1,043 in cryptocurrency, according to data from Arkham Intelligence.

Cybersecurity researchers at Wiz published analysis of a “widespread” supply chain attack yesterday, writing in a blog post that bad actors used social engineering to gain control of a GitHub account belonging to Qix (Josh Junon), a developer of popular code packages for JavaScript.

The hackers published updates for some of these packages, adding malicious code that would activate APIs and crypto-wallet interfaces, as well as scan for cryptocurrency transactions in order to rewrite recipient addresses and other transaction data.

Alarmingly, Wiz’s researchers conclude that 10% of cloud environments contain some instance of the malicious code, and that 99% of all cloud environments use some of the packages targeted by the hackers responsible—but not all of these cloud environments would have downloaded the infected updates.



Despite the potential scale of the exploit, the latest data from Arkham suggests that the threat actor’s wallets have so far received the relatively modest sum of $1,043.

This has grown very incrementally in the past couple of days, encompassing transfers mostly of ERC-20 tokens, with individual transactions worth anything between $1.29 and $436.

The same exploit has also expanded beyond Qix’s npm packages, with an update yesterday from JFrog Security revealing that the DuckDB SQL database management system has been compromised.

This update also suggested that the exploit “appears to be the largest npm compromise in history,” highlighting the alarming scale and scope of the attack.

Such software supply chain attacks are becoming more common, Wiz Research researchers told Decrypt.

“Attackers have realized that compromising a single package or dependency can give them reach into thousands of environments at once,” they said. “That’s why we’ve seen a steady rise in these incidents, from typosquatting to malicious package takeovers.”

Indeed, the past few months have witnessed numerous similar incidents, including the insertion of malicious pull requests into Ethereum’s ETHcode extension in July, which garnered over 6,000 downloads.

“The npm ecosystem in particular has been a frequent target because of its popularity and the way developers rely on transitive dependencies,” said Wiz Research, whose members include the authors of Wiz’s blog on the Qix hack, Hila Ramati, Gal Benmocha and Danielle Aminov.

According to Wiz, the latest incident reinforces the need to protect the development pipeline, with organizations urged to maintain visibility across the entire software supply chain, while also monitoring for anomalous package behavior.

This seems to be what many organizations and entities were doing in the case of the Qix exploit, which was detected within two hours of publication.

Quick detection was one of the main reasons why the exploit’s financial damage remains limited, yet Wiz Research suggests there were other factors at play.

“The payload was narrowly designed to target users with specific conditions, which likely reduced its reach,” they said.

Developers are also more aware of such threats, Wiz’s researchers add, with many having protections in place to catch suspicious activity before it results in serious damage.

“It’s always possible we’ll see delayed reports of impact, but based on what we know today,” they said, “the quick detection and takedown efforts seem to have limited the attacker’s success.”

Source