Bitcoin Wallet Applications Potentially Compromised

paul · September 8, 2025, 9:34pm

If you haven’t seen this, BTC Sessions posted a video here about it. A malicious package in NPM could potentially impact a large number of wallet applications that are built on Node.js. The package in question has been downloaded more than 1 billion times (so it is widely distributed). It contains code which looks for anything that matches the pattern of a bitcoin address, and swaps them out with another address that looks visually similar, but is controlled by the attacker.

On-chain transactions could potentially be impacted when using apps from Ledger, Trezor, Blockstream, Bitkey, Exodus, Nunchuk, Muun, Blue Wallet, Phoenix, Zeus, and a few others. Also potentially impacted are hardware signers from Trezor, Ledger, Bitbox 02, Blockstream Jade, Keystone, and Bitkey that use java script. Some wallet applications that are NOT affected include Sparrow, Spectre DIY, and Electrum.

Be extra careful to double and tripple check the output recipient and change addresses on your hardware signer’s screen before signing a transaction. Look closely, since the malware will try to use an address that looks similar. If anything looks wrong, then of course do not sign the transaction!

One thing that BTC Sessions didn’t mention is whether or not change addresses could be impacted (which could be impossible to verify if you are using an affected companion application since there would be nothing to cross-check against what you see on the signer’s screen). Also, I believe Core Lightning could potentially be impacted (I recall that I used NPM when building the CLN Application for Windows in this video).

Greg · September 9, 2025, 1:32am

I had a curious thing happen yesterday with Core and the Muun wallet. I sent out 5000 sats from Core to Muun and then tried to send 4000 back to Core from Muun. The transaction went thru (I watched it in my mempool) but I noticed this morning that the Muun wallet balance went back up and Core has a pending invoice of 4000 to receive.

I don’t have a clue if it’s related but very strange as it’s the first time Core hiccuped like that

paul · September 9, 2025, 2:28am

Were these base-layer transactions, or Lightning invoices? Only base layer transactions would be potentially impacted, though the behavior you described isn’t what I would expect. This particular hack is all about swapping bitcoin addresses with ones the hacker controls.

The behavior that I would expect to see from any wallet that was compromised (including the base layer wallet on Core Lightning if it were impacted) is that you would send some bitcoin, and the output (the amount you are spending and/or the change) would end up in someone else’s wallet instead of where you intended it to go.

Greg · September 9, 2025, 2:55pm

Lightning invoice. I did understand that the “attack” is on the base layer only but just thought it was weird that on the same day of the announcement that the Muun transaction failed. Just never happened before.

BTW - I don’t use Muun really and was just really testing different wallets that day. Thanks for the response @paul

epicpanda · September 9, 2025, 4:27pm

This is why I only use full node software for both wallet and node. The rest you just can’t trust.