Supply Chain Attack Targets Frontend Ecosystem: Protecting Your Digital Assets

A large-scale npm frontend supply chain attack has recently been identified, where attackers compromised the npm account of a well-known developer (qix) via phishing. They then published malicious versions of popular JavaScript packages (such as chalk and debug), embedding malicious code.

This code hijacks native objects like Fetch, XHR, and window.ethereum at runtime. It scans network responses and parameters for address strings and replaces the victim’s address with the “closest” matching address from a built-in list of malicious addresses. The attack impacts assets on major chains, including ETH, BTC (legacy/segwit), TRON, LTC, BCH, and SOL.

What is a Supply Chain Attack?

A supply chain attack is a cyberattack where adversaries infiltrate an organization by targeting less secure elements in its supply network. Rather than attacking the target directly, they compromise a trusted third-party vendor, partner, or software provider. By embedding malicious code or components into products or services, attackers can exploit the trust between the supplier and the end user to compromise the final target system.

Key Attack Methods in This Incident

Email Phishing: The developer was tricked into performing a 2FA reset, allowing attackers to seize control of their npm account.
Publishing Malicious Packages: New, malicious versions were published for dozens of widely-depended-on packages.
Transaction Address Tampering: During frontend execution, the malicious code actively scans for potential transaction addresses and replaces them with addresses controlled by the attacker.

Safeheron conducted an immediate and comprehensive audit of all internal repositories and is pleased to confirm that no Safeheron products are affected by this incident.

Best Practices for Frontend Supply Chain Security

To enhance protection for ourselves and our clients, Safeheron advocates for and implements the following frontend supply chain security best practices:

Version Pinning and Controlled Installation: Use npm ci to install dependencies based on the package-lock.json file, eliminating the risks associated with floating versions.

Strict Vetting of External Dependencies: Establish clear criteria for dependency admission, including project star count, maintenance activity, and minimal functional scope. All dependency upgrades must undergo rigorous security assessments and scans.
Internal Dependency Caching and Regular Audits: Implement an internal caching proxy for dependencies. Regularly scan both new and existing dependencies to promptly identify abnormal or high-risk versions.
Rapid Response to Security Intelligence: Monitor multiple security intelligence channels (community forums, vendor bulletins, vulnerability databases) to receive attack updates in real-time and conduct emergency assessments of internal projects.

Safeheron’s Commitment to a “Defense-in-Depth” System

Beyond supply chain attacks, this incident highlights the importance of other critical security layers. Safeheron continues to invest in and fortify these areas:

Anti-Phishing and Verification Mechanisms: We conduct regular employee training to identify phishing emails and verify source authenticity, securing internal communications.
Reproducible Builds and Anti-Tampering Monitoring: All internal deliverables are produced using a reproducible build process for cross-verification. We also monitor all internal and external artifacts to ensure any unauthorized tampering triggers an immediate alert.
Core Account/Permission Management and Regular Reviews: We centralize control over sensitive accounts and system permissions, enforce periodic password changes, and strictly adhere to the principle of least privilege.

How Safeheron Protects Against Frontend Hijacking and Address Tampering

This attack relies on tampering with the transaction address at the final step via frontend code. Safeheron’s security architecture is designed to counter this exact risk scenario:

Zero-Trust-Based Secure Multi-Party Computation (MPC): Safeheron’s MPC signing technology operates on zero-trust principles. Each signing node independently executes transaction serialization. An attack or data tampering at a single point would be detected and intercepted by the other nodes.
What You See Is What You Sign (WYSIWYS): Our app strictly enforces the WYSIWYS principle. During transaction approval, users are required to cross-verify unfamiliar addresses from another trusted source, ensuring the address is correct before signing.

We detailed and demonstrated these security mechanisms following the Bybit security incident earlier this year:

A Serious Reminder for All Web3 Users

Although this attack was short-lived, its potential impact is vast, theoretically affecting any website running in a web browser. There is currently no foolproof technical method to determine if a specific site is safe.

Therefore, the Safeheron team solemnly reminds our clients and all Web3 users:

Always exercise extreme caution with on-chain transactions. Cross-verify transaction addresses through multiple trusted channels before signing.
Contact your service providers directly to confirm the scope of impact and their security status.