PANews reported on September 9th that in response to the "NPM supply chain attack," OKX Wallet stated that OKX always prioritizes system security and strictly controls the risks of using third-party components throughout product development and launch. An internal review and assessment confirmed that the OKX app, developed based on native Android and iOS frameworks, poses no security risks. The OKX plugin, web application, and mobile DApp browser do not use the affected third-party components. All platform services are operating normally, and users can continue to use them with confidence.

Reportedly, attackers stole the NPM account credentials of developer qix via a phishing email (disguised as npmjs support), then injected malicious code into 18 popular JavaScript packages he published (including chalk and debug-js, which have over 2 billion weekly downloads). This attack is considered the largest supply chain attack in history.

Notably, this malicious code does not attempt to locally implant a Trojan or steal files. Instead, it specifically targets Web3 scenarios: if it detects the presence of window.ethereum in the browser environment, it hijacks transaction requests. By tampering with the browser's Ethereum and Solana transaction requests, the malicious code redirects funds to addresses controlled by the attacker (such as Ethereum address 0xFc4a4858...) and steals assets by replacing the encrypted address in the JSON response. Although the page displays the legitimate transaction address, the funds are actually transferred to the attacker's address.