How to stay safe if you’re using MetaMask, Phantom, Trust or any crypto wallet from NPM attack

A new cyberattack has put millions of crypto users on alert after hackers slipped malicious code into NPM, the software registry that powers thousands of apps and websites, including many tied to crypto wallets.

What exactly is NPM?

For non-developers, NPM (Node Package Manager) is like a giant library of free building blocks that software developers use to create apps. Every time you interact with a wallet extension like MetaMask or a DeFi dashboard, chances are some part of its code comes from NPM.

The problem is, if attackers sneak malware into one of those building blocks, it can spread to thousands of apps without users realizing. With more than 2 billion downloads every week, NPM is the plumbing of the internet, and a prime target.

More News:

• Another exchange hacked for $40M
• Crypto's biggest sleuth has 10 shocking questions on hacks
• Bybit hack was similar to WazirX incident, sources say

How the attack works

Developers first noticed something was wrong when code builds started failing. Researcher StarPlatinum explained:

“Developers first noticed strange build errors like fetch is not defined. When they inspected the code, they found heavy obfuscation hiding functions like checkethereumw. A clear sign this was targeting crypto.”

Once inside, the malware had two tricks. As Minal Thukral detailed:

“The malware uses two sophisticated methods:
– Clipboard Hijacking: When you paste a wallet address, it stealthily swaps it with an attacker’s look-alike, making it extremely hard to spot the difference.
– Transaction Interception: It directly hooks into your wallet’s functions. When you go to sign a transaction, it changes the recipient’s address in the background before the confirmation prompt even appears.”

You could think you’re sending coins to a friend, but the malware might quietly reroute them to a hacker.

So far, the attacker’s Ethereum wallet and several backups have been identified, and no stolen funds have been moved. But the fact that the code ran in apps with billions of downloads has shaken trust.

sol.engineer summed it up:

“This code runs behind the scenes in apps with billions of downloads each week. Even big companies rely on it. Which means: any Solana platform, any wallet and more could be affected.”

What wallet users should do now

The first step is slowing down. Many crypto users only check the first and last few digits of wallet addresses when sending money but that’s exactly what attackers exploit.

As sol.engineer warned:

“Double-check every address before sending, slow down & verify every single character (NOT just first/last 4).”

Story Continues For users of MetaMask, Phantom, or Trust Wallet, that means carefully reading the full address on the confirmation screen before you hit send.

Hardware wallets like Ledger or Trezor add another layer of protection. Because they display transaction details on a separate device, even if malware tampers with your computer or phone, the hardware wallet shows the real address before you confirm.

Minal Thukral put it bluntly:

“Your final confirmation screen is your last line of defense. You must meticulously verify every single character of the recipient address in your wallet app or on your hardware wallet screen before approving any transaction.”

What should you do?

This incident was caught quickly, but it shows how vulnerable crypto can be when the tools developers rely on are compromised. For average users, the best defenses are vigilance and hardware protection.

StarPlatinum offered the final reminder:

“This time, the community caught it fast. But the fact that 2 billion weekly downloads were compromised shows how fragile our systems are.”

Note: If you’re using MetaMask, Phantom, Trust Wallet, or any crypto app, the advice is simple, take your time, check every character, and when possible, use a hardware wallet.

This story was originally reported by TheStreet on Sep 8, 2025, where it first appeared in the Innovation section. Add TheStreet as a Preferred Source by clicking here.

View Comments