Overview

• Maintainer “qix” confirmed a phishing-led account takeover via emails from [email protected] that impersonated npm support.
• Malicious releases impacted packages including chalk, debug, and ansi-styles that collectively see about 2.6 billion downloads each week.
• Injected browser-side malware hooks wallet APIs and network responses to replace destination addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
• NPM and the maintainer have begun pulling tainted versions, including debug, with remediation efforts and investigation still in progress.
• Ledger CTO Charles Guillemet advises meticulous hardware‑wallet verification, while software‑wallet users are urged to avoid on‑chain transactions for now.