Over the past years, there has been a marked increase in cyberattacks targeting both individuals and organizations in the digital asset space. According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in 2024 were aimed at the Node Package Manager (NPM) registry, with others focusing on Python’s PyPI. Beyond open-source packages, phishing campaigns, exchange exploits and wallet-draining malware have all grown more sophisticated.
What Happened This Week
On September 8, attackers hijacked the npm account of a well-known open-source maintainer through a phishing email. npm, the world’s largest registry for open-source JavaScript packages, is widely used by developers to share and download code. The attacker then published malicious updates to widely used JavaScript libraries (Including chalk, strip-ansi, and color-convert) which collectively record hundreds of millions of weekly downloads.
The injected malware acted as a crypto-clipper, designed to intercept cryptocurrency transactions by:
- Replacing wallet addresses in network traffic with attacker-controlled addresses that closely resembled the intended ones.
- Hijacking wallet APIs to alter the recipient address of transactions before they were signed.
In practice, this malware works as a browser-based interceptor. It inserts itself into functions such as fetch, XMLHttpRequest, and popular wallet interfaces. Once active, it silently alters requests and responses, swapping out sensitive details like wallet addresses or approval targets with attacker-controlled values. To make detection harder, it uses look-alike strings and operates at multiple layers: changing content displayed on websites, tampering with API calls, and even manipulating what users’ applications believe they are signing. Transactions may appear legitimate on-screen, while being redirected in the background.
Please find a detailed technical breakdown, including impacted javascript libraries, here.
Immediate Reassurance: Bitcoin Suisse Is Not Affected
After conducting an extensive due diligence review, we can confirm that Bitcoin Suisse systems have not been compromised and are not affected by this incident. The malicious code was limited to specific open-source packages used in web applications, and it had no impact on our infrastructure or the security of our clients’ assets.
While this incident demonstrated the potential risks of software supply chain attacks, it also highlighted the strength of the open-source community. The malicious packages were identified within minutes and taken down within hours, thanks to the vigilance and collaboration of developers, researchers, and platform maintainers worldwide.
How We Continue to Protect Our Clients’ Assets
At Bitcoin Suisse, the security of our clients remains our highest priority. For us, security isn’t optional. It’s embedded in our DNA and in every service we provide. Unlike many organizations that rely on external package registries, we do not use third-party package registries in our vault systems. To further reduce risk, we have invested significant effort in developing our own cryptographic libraries in-house. This approach minimizes exposure to supply chain attacks and ensures that the core of our technology stack remains secure, controlled and trustworthy.
Unrelated to this event – but driven by the rise in cyberattacks across the industry – we recently implemented the optional Verified Crypto Withdrawal feature. This ensures that any withdrawal request undergoes identity verification and direct coordination with our team, providing an added layer of protection during times of heightened cyber risk. If you wish to enable that feature, please get in touch with your dedicated relationship manager or contact us here.
We remain highly committed to monitoring developments closely, working with trusted partners and the broader ecosystem and safeguarding our clients so they can navigate the digital asset landscape with confidence and security.
