Author
Stellar Development Foundation
Publishing date
Security
Developer
All projects under SDF Github organization are unaffected.
SDF security and engineering teams responded immediately and found:
While the malicious package versions have been removed from the NPM registry, this is an evolving attack and more affected packages may be discovered. SDF will continue to monitor this evolving situation and will provide updates as needed.
Early on the morning of September 8, 2025, a major supply chain attack was discovered in the NPM ecosystem. Malicious versions of dozens of commonly used NPM packages (as listed here and here) were published to the NPM registry. These packages have billions of downloads weekly. The attack was accomplished through a phishing attack on a popular NPM developer. Despite the massive scale, the attack was identified quickly by the community and notifications were sent out across the industry in a matter of hours.
The methodology for this attack included passive address swapping and active transaction hijacking through a “monkey-patched” fetch and XMLHTTPRequest call. These actions were focused on attacking wallets within the Bitcoin Classic (BTC), Bitcoin Cash (BCH), Litecoin (LTC), Solana (SOL), and Ethereum (ETH) ecosystems. The Stellar network is not targeted in this malware.
For NPM Projects:
Build Pipeline: Audit your build and deployment pipelines to ensure you have not downloaded and installed malicious versions of any affected package in any of your builds or releases.
For Developers: If you are a developer and locally built a project with NPM, or ran “npm” commands recently, audit your workstation to ensure that you did not download malicious versions of any affected packages on your system.