Newest version got hacked with malware

[jdstaerk]

Affected Package: error-ex
Affected Version: 1.3.3
Patched Version: The last known safe version is 1.3.2.
Severity: Critical
Code: https://www.npmjs.com/package/error-ex?activeTab=code (Line 9 in index.js)

Summary

Version 1.3.3 of the error-ex package, published recently on npm, contains obfuscated, malicious code. This code appears to be a "crypto-clipper" designed to steal cryptocurrency from users by intercepting and modifying wallet addresses in web traffic and hijacking wallet transactions.

Given the package's high download count (over 47 million weekly downloads), this poses a significant supply chain risk to the JavaScript ecosystem.

Details

We discovered this vulnerability after our CI/CD pipeline began failing with a ReferenceError: fetch is not defined. Investigation revealed that our build was installing error-ex@1.3.3 despite our package-lock.json specifying version 1.3.2.

The code in v1.3.3 is heavily obfuscated. After deobfuscation, the malware's functionality can be summarized as follows:

Passive Address Replacement:

The script monkey-patches window.fetch and XMLHttpRequest.

It intercepts all network requests and responses from the host page.

It scans the data for cryptocurrency addresses (BTC, ETH, SOL, LTC, etc.).

If an address is found, it is replaced with a visually similar address from a hardcoded list belonging to the attacker.

Active Transaction Hijacking

The script checks for the presence of window.ethereum (injected by browser wallets like MetaMask). It hijacks the wallet's request and send methods. When a user initiates a transaction (e.g., eth_sendTransaction), the script intercepts the transaction object before it is signed. It replaces the recipient's address with the attacker's hardcoded address.

The modified transaction is then forwarded to the user's wallet for approval. A user who doesn't meticulously check the address will sign a transaction sending funds to the attacker.

Impact

This is a critical vulnerability that can lead to the direct financial loss of users whose applications include this compromised package. It actively works to steal funds without the user's knowledge.

[jdstaerk]

Wrote some infos down here: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the

[jdstaerk]

It seems like all packages of https://www.npmjs.com/~qix got hacked.

[chongj615]

Thank youi!

We saw the same issue a few minutes ago, was able to pin it to 1.3.2 with override in package.json for now.

`+ "overrides": {

• "error-ex": "1.3.2"
  }
  `

[runningincircle]

It seems like all packages of https://www.npmjs.com/~qix got hacked.

Can confirm. Eg, https://www.npmjs.com/package/color-name?activeTab=code line #153. Weekly downloads 191,711,320.

Others that were uploaded in the last 1-2 hours were either hacked or their dependencies (from the hacked list) updated so every package would install fresh malicious version.

[evilsocket]

[Qix-]

Thank you, yes.

debug-js/debug#1005 (comment)

[michaelbutler]

It looks like 1.3.3 (the hacked version) is no longer available on npm: https://www.npmjs.com/package/error-ex so they may have started reverting things.

[rgedies1]

@Qix-

i'm still seeing version 1.3.4 flagged in snyk.

is this going to be resolved?