Flamingo Finance has confirmed it was not affected by two recent supply chain compromises on npm. The first incident targeted cryptocurrency users by injecting wallet-hijacking code into 18 widely used JavaScript packages.
Days later, a separate campaign compromised more than 40 packages with a self-replicating worm.
What is a supply chain attack?
A supply chain attack occurs when malicious code is introduced into software components that others rely on. Because open-source libraries are reused across countless projects, a single compromise can spread widely through the ecosystem.
Modern development practices only serve to heighten the risk. Applications often rely on hundreds of small libraries maintained by only a few individuals. With AI-assisted coding pulling in even more packages automatically, the number of dependencies – and attack surfaces – continues to grow.
How the malware worked
In the crypto-focused incident, attackers gained control of a single maintainer account, providing publishing access to npm which was used to push the malicious code. The incident was detected by security firms Aikido and Socket, which noted that the attack could have impacted billions of downloads each week.
The first malware used a browser-based interceptor. It hooked into core functions such as fetch, XMLHttpRequest, and wallet APIs, scanning for EVM transfer requests. When a transaction was detected, it silently replaced the destination address with one controlled by the attacker, using a lookalike address to avoid raising suspicion.
The worm discovered days later had different intentions. It harvested npm tokens, SSH keys, and other credentials from developer environments, then republished itself across additional packages. While it did not target cryptocurrency directly, it showed how quickly a single breach could cascade through the registry.
Impact on cryptocurrency users
The attackers’ initial focus was on Ethereum-compatible wallets such as MetaMask. Despite the reach of the compromised packages, blockchain monitors tracked less than US $500 flowing to attacker addresses.
Experts credited rapid detection and response with limiting the damage.
Flamingo Finance said it was unaffected because its decentralized exchange does not rely on direct EVM transfer flows. Instead, it only uses EVM for cross-chain operations, which the malware did not attempt to exploit.
Structural risks
Both incidents highlight the fragility of the open-source supply chain. A single stolen credential can expose billions of downloads. Many of these packages are maintained by individuals or very small teams without resources to defend against targeted attacks.
Researchers have called for stronger protections, including mandatory hardware keys for maintainers, stricter publish rights, and cryptographic attestations for new releases. Without these changes, phishing and credential theft will remain reliable entry points for attackers.
Staying safe
Defensive steps for developers include enforcing hardware-backed authentication, restricting publishing permissions, rotating credentials, pinning dependency versions, and scanning builds for anomalies.
Adopting provenance attestation in CI/CD pipelines further reduces exposure.
End users can reduce risk by delaying updates until new versions are vetted, minimizing the number of wallet-connected apps and extensions, and using hardware or multi-signature wallets for significant balances.
