18 Popular Code Packages Hacked, Rigged to Steal Crypto

A phishing campaign compromised an NPM maintainer and briefly injected malicious code into at least 18 widely used JavaScript packages (collectively downloaded at massive scale) that intercepted browser wallet activity and rewrote payment destinations to attacker-controlled accounts; the modifications were quickly detected and removed, but the incident underscores severe supply-chain risk, the danger of phishable 2FA, and the need for stronger provenance and attestation for widely used packages.