Simple-Swizzle Npm Package Malware Injection Vulnerability

A vulnerability in the 'simple-swizzle' npm package, specifically in version 0.2.3, allows for the injection of malware that redirects cryptocurrency transactions to attacker-controlled addresses. This issue arose after the package maintainer's npm account was compromised through a phishing attack. The malicious version was published on September 8, 2025, and while the package has been removed from the npm registry, those who downloaded it may still be at risk if it was used in a browser environment.

Impact

The vulnerability allows for unauthorized interception and manipulation of cryptocurrency transactions, redirecting funds to attacker-controlled wallets. This is achieved by hijacking standard web APIs and wallet provider interfaces, such as MetaMask, to alter transaction data before it is signed by the user.

Reproduction

The vulnerability can be reproduced by including the 'simple-swizzle' package version 0.2.3 in a project and bundling it with a tool that targets browser environments, such as Vite or Next.js. Once the package is included in a browser context, the malware activates by hooking into web3 wallet APIs and intercepting transaction requests.

Remediation

Users should update to 'simple-swizzle' version 0.2.4, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries should purge the compromised version from their cache.