Regarding the "NPM supply chain attack," OKX Wallet stated that OKX always prioritizes system security and strictly manages the risks of using third-party components throughout product development and launch. An internal review and assessment confirmed that the OKX app, developed based on native Android and iOS frameworks, poses no security risks. The OKX plugin, web application, and mobile DApp browser do not use the affected third-party components. All platform services are operating normally, and users can continue to use the platform with confidence. The attacker reportedly stole the NPM account credentials of developer qix via a phishing email disguised as npmjs support. The attacker then injected malicious code into 18 popular JavaScript packages released by qix, including chalk and debug-js, which have over 2 billion weekly downloads. This attack is considered the largest supply chain attack in history. Notably, the malicious code did not attempt to locally install a trojan or steal files, but instead specifically targeted Web 3 scenarios: if it detected the presence of window.ethereum in the browser environment, it would hijack transaction requests. The malicious code tampered with the browser's Ethereum and Solana transaction requests, redirecting funds to addresses controlled by the attacker (such as the Ethereum address 0xFc4a4858...) and stealing assets by replacing the encrypted address in the JSON response. Although the page displayed the legitimate transaction address, the actual funds were transferred to the attacker's address.
Miyuki
