Zoonop

Phantom Wallet Confirms Immunity to Major NPM Supply Chain Attack

Image for Phantom Wallet Confirms Immunity to Major NPM Supply Chain Attack

Phantom, a prominent cryptocurrency wallet provider, has issued a public statement assuring its users that their funds and data remain secure following a widespread supply chain attack targeting popular npm packages. The company clarified its position on social media, stating, > "Phantom is not at risk. We have confirmed Phantom does not use any vulnerable versions of the affected packages." This announcement comes as the broader crypto ecosystem grapples with new sophisticated threats.

The recent incident, flagged by Aikido Security, involved malicious code injected into 18 widely used npm packages, including chalk and debug, which collectively account for over two billion weekly downloads. This malware was designed to hijack crypto wallets like MetaMask and Phantom by altering transaction data before users could sign them, making fraudulent transfers appear legitimate. The rapid detection of the attack reportedly limited its overall damage.

Phantom attributed its resilience to a robust set of internal security protocols. These include strict version pinning for all dependencies, which prevents automatic updates to potentially compromised packages. The company also implements mandatory security reviews for all package upgrades, multi-layered dependency scanning, vulnerability monitoring, and isolated build environments with integrity verification, as detailed in its public statement.

The assurance follows other security-related challenges and allegations faced by the wallet provider. In May 2025, Phantom patched a homograph attack vulnerability (CVE-2025-27611) in the Base-x library, which could have allowed Unicode lookalike characters to silently alter wallet addresses. Additionally, Phantom is currently facing a lawsuit alleging a $500,000 theft due to purported vulnerabilities related to unencrypted private keys, claims which the company has strongly denied.

Despite these incidents, Phantom consistently emphasizes its commitment to user security. The company reiterated its dedication to protecting user funds against evolving threats, stating it "will continue investing in our security practices to keep them safe." This ongoing focus on security is critical in the dynamic landscape of cryptocurrency, where new attack vectors frequently emerge.