Following up on 'The Largest (Failed) Supply Chain Attack in History'

On September 9th, 2025, SEAL and numerous other security vendors reported what has been branded as "The Largest Supply Chain Attack in History". Fortunately, the actors behind the campaign appear to have squandered their access, profiting only ~$1000 while exposing their attack patterns and infrastructure used in previous similar attacks. While the full impact of the attack is still unfolding, we have taken a closer look at the attacker's tactics, techniques, and procedures.

This report is a follow-up, providing a more detailed breakdown of the attacker's infrastructure, which was uncovered through trace data extracted from the now-infamous npmjs[.]help domain. This domain was used to steal NPM credentials and had the potential to expose millions of machines to malicious code, though it ultimately failed to do so.

Persistent Phishing Attempts Targeting Blockchain Ecosystems

With high confidence, we attribute additional domains to the same actor or phishing-as-a-service infrastructure used by similarly motivated threat actors.

Pivoting from the phishing payload code of npmjs[.]help (Registered on 05/09/2025), we were able to discover the following:

1. npmjs[.]cam (Registered on 26/08/2025, note the TLD difference)
2. 2hy[.]xyz (Registered on 02/07/2025)
3. walleting[.]services (Registered on 26/06/2025)

The domain 2hy[.]xyz and its associated hosts shared the same uniquely obfuscated JavaScript function as npmjs[.]help. This allowed us to build a profile of a persistent attacker focused on spear-phishing cryptocurrency users. These domains did not host malware; instead, they focused on stealing credentials. Similar to the npmjs[.]help attack, they used iframes to load the content of legitimate websites to gain access or perform unintended actions on behalf of the user.

Phishing HyperLiquid

The domain 2hy[.]xyz (91.202.5.162) and its supporting infrastructure, walleting[.]services (65.108.111.55), were used to phish for access to the known cryptocurrency trading platform, Hyperliquid. Upon providing credentials on app.2hy[.]xyz (or hyperliquid.2hy[.]xyz), the user was presented with a legitimate-looking Hyperliquid page. The difference from the npmjs[.]help attack lies in the details and the end goal of the malicious JavaScript injection.

In the npmjs[.]help case, the objective was to grab a 2FA access token and add an attacker-controlled API key to allow package releases (see previous write-up). In the case of 2hy[.]xyz, the purpose was to inject a malicious iframe from walleting[.]services/t/images/ns.html using the payload stored at walleting[.]services/t/images/a.js. The JavaScript file then completely replaces the legitimate content and looks for an element containing the text "Deposit." If found, it again replaces the content from the same source. The namedata function runs periodically, checking for a 'cotton' parameter in the URL. If present, it proceeds with a sequence of actions:

• It programmatically clicks on various buttons and links related to an accountTable.
• It iterates through a loop, likely to interact with multiple rows in a table, performing clicks on elements within those rows.
• It simulates user input by setting the value of an input field to a specific wallet address: 0xbcc605314a9434855ed7C7a6C3c03b89FC966649.
• It triggers events to ensure the website processes the simulated input.
• The script includes sleep functions to introduce delays between actions, likely to mimic human behavior and avoid detection.

The most likely goal was to transfer funds to an attacker-controlled wallet address. The attack appears to have been completely unsuccessful.

Interestingly, the domain walleting[.]services was previously used for what appears to be a legitimate service offering to claim Bitcoin-forked coins allocated to original BTC addresses from 2017 to the end of 2019. In 2025, the attacker most likely re-registered or took over the domain and pointed it to a different host. The website is currently offline, but we managed to capture its main page beforehand.

Previous Attempts at NPMJS Phishing

The aforementioned domain 2hy[.]xyz, resolving to 91.202.5.162, was discovered to have received requests from the domain npmjs[.]cam (note the TLD difference) between 27/08/2025 and approximately 01/09/2025, before being permanently moved about four days before the npmjs[.]help attack. Unfortunately, we were unable to retrieve the source code of that page as it was taken down too quickly. However, the naming similarity, the collision of uniquely obfuscated functions found in the JavaScript phishing payloads on both npmjs[.]help and app.2hy[.]xyz, and the close timing of domain registration all point to these services most likely being operated by the same actor.

The above indicates the persistent nature of the attacker, who utilizes spear-phishing for initial access. The injection used in the npmjs[.]help attack differs from the one used for app.2hy[.]xyz in both structure and functionality. However, both used the same obfuscation service and similar methods of observing DOM changes. Additionally, all of the domains focus on cryptocurrency users and prioritize credential theft over malware delivery.

Our hypothesis is that the attacker is more focused on phishing than malware deployment and has little to no experience with malware-related operations, as demonstrated by the extremely limited impact of the npmjs[.]help campaign. Considering the significant dispersion of infrastructure, such as different hosters and domain registrars, as well as different operational goals, we conclude that the attacker is operating more phishing campaigns that are not currently visible to us. Attacks of this nature may not be limited to NPMJS and Hyperliquid but could be actively targeting other types of services with the goal of cryptocurrency theft.

Relationships Graph

NPMJS Risk Surface

Attacks on the maintainers and publishers of npm packages are common because it is extremely easy to collect their email addresses using npm view for each release. Neither PyPi, Cargo, nor any other popular package manager exposes a similar type of data. Of course, emails can still be collected from other sources; however, the npm registry provides a precise signal for malicious operators. Below, we list a few relevant observations on how to limit the attack surface on your npm publishing pipeline.

1. Periodically check and purge old and inactive accounts from the list of maintainers of your packages to limit access exposure.
2. For projects and companies, publishers should only be allowed to trigger releases or update the code of the package using company-controlled accounts/domains. Use npm view or query registry.npmjs.org to check if any of your maintainers are using their private accounts for company code.
3. Whitelist only known and authorized domains like npmjs.com or npmjs.org, but not npmjs[.]help or npmjs[.]cam to receive notifications from.
4. Keep in mind that data on the NPMJS registry is easy to spoof. For example, the "Repository" and "Homepage" URLs displayed on the package page are read from the user-supplied package.json. Ensure your developers do not fall prey to such obfuscation methods.

IOCs

Domain Names

1. npmjs[.]cam (Registered on 26/08/2025)
2. 2hy[.]xyz (Registered on 02/07/2025)
3. walleting[.]services (Registered on 26/06/2025)

IP Addresses

npmjs[.]cam -> 91.202.5.162

2hy[.]xyz -> 91.202.5.162

walleting[.]services -> 65.108.111.55

Payloads (Phishing Scripts)

obfuscated 2hy[.]xyz injection

deobfuscated 2hy[.]xyz injection

EVM Address

0xbcc605314a9434855ed7C7a6C3c03b89FC966649