# Supply Chain Attacks: A Growing Concern for Crypto

<figure><img src="/files/WfaAue0238khJyS3sUYY" alt=""><figcaption></figcaption></figure>

## **The State of Play**

Supply-chain attacks went from a rising risk in 2024 to a defining crypto threat vector in 2025. Earlier this year, [ReversingLabs documented 23 crypto-focused supply-chain campaigns](https://www.reversinglabs.com/blog/crypto-gets-a-target-on-its-back) in 2024, with npm representing 14 of these incidents. Against the backdrop of [\~$2.2B in total hacking losses for 2024](https://medium.com/@blockscope.co/2024-crypto-crime-and-security-44a368501b5d), the stage was set for this year's dramatic escalation.

<figure><img src="/files/KTv0qi45sp4cdpCTKRI7" alt=""><figcaption><p>Source: <a href="https://www.reversinglabs.com/blog/crypto-gets-a-target-on-its-back">Reversing Labs</a></p></figcaption></figure>

The year started with a huge hit, in February 2025, Bybit suffered the largest theft in industry history (Losing \~$1.5B in ETH), [driven not by key compromise but by third-party UI tampering](https://research.blockscope.co/bybit-breach#decoding-the-exploit) (Safe Wallet) in its multisig flow; investigators describe a vendor-chain compromise that altered what operators saw at approval time. In May 2025, an [AI-plugin/IDE poisoning wave around Cursor led to \~$500K](https://research.blockscope.co/mid-year-2025-crypto-crime-report#id-6.-artificial-intelligence-threat-and-opportunity) in direct losses and exposed hundreds of developer machines to backdoors and stealer payloads.

And recently, in September 2025, the JavaScript ecosystem was hit twice: first by[ a maintainer-phishing event](https://research.blockscope.co/npm-hack) that pushed crypto-drainer code into 18+ core npm packages (e.g., `chalk`, `debug`) with total \~2.6B weekly downloads, and days later by [a worming campaign (“Shai-Hulud”)](https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised) that hijacked @ctrl/tinycolor and, via credential theft and CI pivoting, spread to 100–180+ packages.

<figure><img src="/files/IK3nDTsTiZE4YBxzvJtA" alt=""><figcaption><p>Source: <a href="https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised">StepSecurity</a></p></figcaption></figure>

## **What are Supply Chain Attacks in Crypto?**

A supply-chain attack exploits the trust you place in everyday development tools, the package managers, build systems, wallet SDKs, and IDE extensions that feel as routine as morning coffee. Attackers don't break down your front door; they poison the water supply, inserting malicious code into trusted updates that flow naturally through your normal workflows.

In crypto, this trust sits at the most dangerous intersection: where value meets authorization. Wallet SDKs that construct transactions, signer UIs that display what you're approving, CI pipelines that build your front-end, these aren't just tools, they're the critical path between human decision and digital money.

The pattern repeats with surgical precision: Bybit users thought they were seeing legitimate transaction details when a compromised vendor UI fed them lies. Thousands of npm users received "routine" updates that quietly rewrote recipient addresses or hooked into wallet flows, all delivered through the same trusted channels they used every day. One compromised maintainer account becomes a distribution network reaching across the internet.

The cruelest part? Everything looks normal. Your IDE suggests the update, your build passes, your tests are green. The attack succeeds precisely because it arrives through channels you trust, wearing the clothes of legitimate maintenanc

## Humans, Payloads, Worms: The Supply-Chain Path

Attackers don’t hack blockchains, they hack people, then the pipeline. *Phish → publish → propagate*.                                                                                       &#x20;

<figure><img src="/files/zS2bi5ErNiOz0g0s7UUr" alt=""><figcaption></figcaption></figure>

#### **Step 1 - Break the person, Not the system**

In the npm wave, core maintainer [Qix fell for a 2FA-reset phish](https://research.blockscope.co/npm-hack#initial-compromise-a-look-alike-npm-support-domain) threatening account lockdown, giving attackers control within an hour. In the Bybit heist, [a Safe{Wallet} developer was socially engineered](https://research.blockscope.co/bybit-breach#decoding-the-exploit) through stolen AWS tokens and MFA bypass, his compromised workstation opened the door to everything that followed.

#### **Step 2 - Legitimize the payload**

With the npm account, [attackers pushed "routine" updates to `chalk`, `debug`, and 16 other packages](https://research.blockscope.co/npm-hack#background-why-compromising-qix-was-a-global-fire-alarm-moment) that ran install-time credential stealers harvesting developer tokens and cloud access. [At Bybit, attackers injected malicious JavaScript into the trusted vendor UI](https://research.blockscope.co/bybit-breach#decoding-the-exploit), so signers approved transactions that looked legitimate, but weren't. [The same "looks-legit" trick powered Cursor](https://mp.weixin.qq.com/s/wmmI_M0VyLnxoJX-7DV8Xg): a fake "Solidity Language" extension from Open VSX executed PowerShell during installation to exfiltrate secrets, leading to \~$500k in wallet thefts.

#### **Step 3 - Amplify and spread.**

The npm worm auto-cascaded from 18 initial packages to 187+ compromised releases through stolen maintainer tokens, billions of weekly downloads spreading faster than teams could respond. [Shai-Hulud demonstrated the same pattern](https://cybersecuritynews.com/npm-supply-chain-attack-crowdstrike/), worming from `@ctrl/tinycolor` to 100+ packages in one campaign. Meanwhile, Bybit's attackers rapidly drained $1.5 billion in ETH across multiple addresses once UI approvals were subverted, making it crypto's largest single heist.

The pattern repeats everywhere trust intersects with valuable access: Bybit's compromised vendor UI manipulated transaction displays at the critical moment of user approval. Cursor's ecosystem showed how alternative extension registries can become backdoor distribution networks, turning developer workstations into surveillance posts.

Each attack exploits the same fundamental weakness: humans making trust decisions under time pressure, using tools that look legitimate because they are legitimate, until they're not.

### **Why this is worse than “Just Phishing”**&#x20;

Phishing scales one victim at a time; supply-chain compromise scales **one maintainer → millions of downstream installs** in minutes. It abuses transitive trust, so warnings and training aimed at end-users don’t apply, developers install “updates” from known names, CI builds “as usual,” and signers approve transactions in UIs that look correct. Modern campaigns also harvest tokens and secrets at scale, letting attackers leapfrog into orgs’ build systems and vendors, which is why the npm incidents demanded industry-wide emergency triage even where *confirmed* on-chain thefts remained relatively small.&#x20;

## Defend Your Pipeline: Do This Next

Treat supply-chain risk like hot-path fraud risk: Verify at the moment of authorization and reduce transitive trust. Concretely:

&#x20;(1) Verify the raw transaction, recipient, amount, calldata, with an independent tool (e.g., **Blockscope Transaction Simulator**) before signing; don’t rely on a single vendor UI. The Bybit attackers manipulated the trusted Safe{Wallet} interface precisely because users relied on one source of truth. On any signing surface, enforce strict [Content Security Policy and Subresource Integrity for third-party JS](https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides) to prevent tampering.

<figure><img src="/files/yNrykigXg9XGKOOmzQoz" alt=""><figcaption><p>Blockscope Transaction Simulator lets you preview a transaction’s effects before signing, so you can verify the recipient, amount, and calldata behave as intended.</p></figcaption></figure>

(2) Pin and verify dependencies; gate publish rights to essential maintainers only; alert immediately on ownership transfers, the npm attack succeeded because Qix's compromised account had broad publishing access. Quarantine post-install scripts by default; they're prime real estate for credential harvesting.

(3) Adopt [SLSA (Supply-chain Levels for Software)](https://slsa.dev/) -style provenance and reproducible, signed builds so consumers can cryptographically verify artifact integrity. This breaks the "looks legitimate" deception that powered all three attacks by creating an auditable chain from source commit to final package.

(4) Short-lived, scoped tokens limit blast radius, [the Shai-Hulud worm spread because stolen CI tokens had persistent access](https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised). Isolate CI runners to prevent cross-contamination; alert on workflow edits and unexpected publishes. Automation should be predictable, not surprising.

(5) Harden dev machines; Official marketplaces only for extensions (the Cursor attack exploited alternative registries like Open VSX), Workspace Trust enabled to sandbox untrusted projects, and operational signing on hardware wallets with on-device address confirmation, making UI manipulation attacks like Bybit's impossible since the hardware shows the real recipient, not the spoofed one.

## **The Meta-Lesson**

These attacks succeed because they exploit trust at scale. Your defense must verify at scale too, every signature, dependency, and CI run becomes a verification checkpoint rather than a trust assumption.

**Written by**: [Tushar Tiwari](https://in.linkedin.com/in/tushar-tiwari-1380271b7), Blockchain Forensics Analyst @ Blockscope

For more information, please reach out to us at **<hello@blockscope.tech>**

<figure><img src="/files/6vlZX96LoM2KbO06J6vR" alt=""><figcaption></figcaption></figure>

Disclaimer: Best Effort Work

This report reflects our best-effort analysis based on information available **as of publication**. Please note:

* **Data limitations:** Sources may be incomplete and the dataset can contain inaccuracies, omissions, or errors.
* **Subject to change:** New or updated evidence may emerge that could materially alter parts of this report.
* **Interpretive nature:** Findings and conclusions are based on our current understanding and may evolve over time.
* **No guarantees:** While we’ve taken reasonable steps to ensure accuracy, we cannot guarantee that all information is fully correct or complete.

This document should be treated as a snapshot of knowledge at the time of writing and may be revised if reliable new information becomes available.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://research.blockscope.co/supply-chain-attacks/supply-chain-attacks-a-growing-concern-for-crypto.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.