Hackers took control of Qix’s npm account and published malicious versions in widely used npm packages containing a crypto-clipper to steal mainly from wallets and products that require making and signing transactions. More details at: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the
At least in the Bitcoin ecosystem I haven’t seen anything affected so far (wallets usually prefer not to use JavaScript/TypeScript, so very few depend on npm). I have seen wallets from other blockchains and products affected, as well as people who have already been robbed.
As a user it’s difficult to prevent this, but as developers we can. When developing in JavaScript/TypeScript, we should evaluate which libraries we add and whether they’re truly necessary, also review the libraries used within others (yes, this is common), and avoid updating without first checking what changed.