npm

According to GMGN data, the BAGS ecosystem Meme token NPM experienced a short-term sharp decline, with its market value dropping from a peak of $8.9 million to $800,000, a decline of over 80% in 1 hour, and a trading volume of $13.2 million within 5 hours of its launch.It is reported that the narrative of the NPM token pays tribute to Isaac Z. Schlueter, the founder of the world's largest package manager NPM, who is hailed as the "God of Programming."ChainCatcher reminds users that Meme coins generally have no practical use cases, and their price volatility is significant, so investment should be approached with caution.

The Chief Information Security Officer of Slow Fog Technology, 23pds, has issued a security alert regarding the latest variant of the NPM supply chain attack, "Shai-Hulud 3." All project teams and platforms are advised to take precautions. It was previously suspected that the leak of the Trust Wallet API key could have led to the Shai-Hulud 2 attack.Shai-Hulud is a series of self-propagating worm-like supply chain attacks targeting the NPM ecosystem, aimed at stealing developer credentials, cloud keys, and environment secrets. The latest variant (referred to by the community as Shai-Hulud 3 or new strain) was discovered on December 28, 2025, by Aikido Security researcher Charlie Eriksen. The current spread is limited and may only be in the testing phase.

Chief Information Security Officer of Slow Fog Technology 23pds issued a security alert, the latest variant of the NPM supply chain attack "Shai-Hulud 3" is once again on the rise. All project parties and platforms are advised to take precautions. It was previously suspected that the leak of the Trust Wallet API key might have led to the Shai-Hulud 2 attack.

ChainCatcher message, Scam Sniffer has detected another attack on the NPM supply chain. The package @ctrl/tinycolor (with 2.2 million downloads per week) has released a malicious version that runs an information-stealing program during the npm postinstall script execution to scan and steal sensitive data.This malicious payload abused the legitimate sensitive information scanning tool TruffleHog. Please check if you have downloaded the affected version, pause any installation/update operations, and pin the version to a known safe version.

ChainCatcher news, DuckDB's official Twitter account stated that the DuckDB Node.js and Wasm packages were compromised with malware in a recent npm supply chain attack. The official team has investigated and deprecated the affected versions, while releasing new versions. DuckDB stated that, according to npm data, no users have downloaded the affected packages. The team has released a security announcement detailing the post-analysis and response measures.

ChainCatcher message, Slow Mist Technology's Chief Information Security Officer 23 pds posted on X platform that the DuckDB NPM account was compromised, and malicious versions such as duckdb, duckdb-wasm, etc. were released. These malware are consistent with wallet-stealing malware seen in supply chain attacks. Please be aware of risk prevention.

ChainCatcher news, according to CertiK Alert monitoring, the NPM account of developer Qix has been phished, with attackers injecting malicious code into npm. According to Security Alliance, the attackers seem to have profited only about 0.05 dollars worth of ETH and 20 dollars worth of Meme coins.Earlier reports indicated that Ledger's Chief Technology Officer Charles Guillemet stated, "A large-scale supply chain attack is currently underway: the NPM account of a well-known developer has been compromised. The affected package has been downloaded over 1 billion times, which means the entire JavaScript ecosystem may be at risk. The malicious code works by silently altering cryptocurrency addresses in the background to steal funds."

ChainCatcher message, according to market news, well-known developer qix has had npm packages injected with malicious code due to a phishing attack, with related packages including chalk, strip-ansi, color-convert, etc.The attack method involves hooking wallet functions, tampering with ETH/SOL transaction receiving addresses, and replacing addresses in network responses. User advice: be sure to verify the recipient and amount in the wallet interface, check for address changes after pasting, review recent transactions, and prioritize using hardware wallets for high-value operations.

ChainCatcher message, the Socket Security Research Team has discovered four malicious npm packages that target Binance Smart Chain (BSC) and Ethereum users' wallets. These packages are pancake_uniswap_validators_utils_snipe (350 downloads), pancakeswap-oracle-prediction (445 downloads), ethereum-smart-contract (305 downloads), and env-process (1,054 downloads), with a total download count exceeding 2,100.The attackers use obfuscated JavaScript code to calculate the percentage of the target wallet balance and attempt to transfer up to 85% of the assets to a wallet address under their control.

ChainCatcher message, according to monitoring by the crypto security research organization Aikido Security, the official XRPL NPM package has been found to have a security vulnerability. This backdoor program steals user private keys and sends them to the attacker. The affected versions are 4.2.1 to 4.2.4, and Aikido Security recommends that users on earlier versions refrain from upgrading.