According to trading volume, Binance is the largest cryptocurrency exchange in the world. It has assured customers that their information and assets were not stolen in a massive-scale attack on their supply chains.
With more than two billion apps downloaded, the breach impacted widely used JavaScript packages, but Binance assured that it did not suffer any damage to its systems.
Supply Chain Attack Targets Popular JavaScript Packages
On September 8, 2025, the supply chain attack became one of the biggest in the history of NPM, the JavaScript package manager. Hackers entered the account of an open-source maintainer, a trusted user, qix, who had been fooled into changing his two-factor authentication information through a phishing email. This compromised the maintainer’s account and enabled the attackers to add malicious code into 18 popular Node.js packages, such as chalk, debug, and ansi-styles. These libraries are commonly integrated into web applications.
Malicious Code Affects Crypto Transactions
The virus that was introduced on the affected packages was a browser-based interceptor. The findings of the researchers revealed that the code was meant to track and steal crypto transactions. It targeted, in particular, wallet addresses and transaction information of leading digital currencies such as Bitcoin, Ethereum, and Solana. The malware then swapped the destination wallet addresses with the ones that the attackers had control over, diverting the funds without the knowledge of the users.
Binance Responds Quickly, Assures Users
Although the attack was widespread, Binance soon reassured its customers that no customer data or assets were at stake. The exchange wrote on X that its systems were not affected by the breach. Binance stressed that security was its number one priority, and it was significant that supply chain security matters. Co-founder Changpeng Zhao, or CZ, also opined on the attack, saying that in the current world, even open-source software can be compromised. He opined that Web3s will be central in redefining Web 2 security.
The malicious email that set off one of the largest NPM attacks in history. Source: Aikido Security
The supply chain attack was very alarming, but Binance was quick enough to reassure users that their assets were secure. The incident reminds us of the increasing significance of ensuring open-source software in the crypto world.
