Crypto Users At Risk After Hackers Exploit NPM JavaScript Libraries - 1

Image by Kanchanara, from Unsplash

Crypto Users At Risk After Hackers Exploit NPM JavaScript Libraries

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Hackers hijacked popular NPM packages by injecting them with malicious code, stealing cryptocurrency funds from billions of users who downloaded the affected packages.

In a rush? Here are the quick facts:

  • Popular libraries affected include chalk, strip-ansi, debug, and color-convert.
  • Malware hijacks cryptocurrency transactions by replacing wallet addresses in browsers.
  • Only users updating packages during the attack window are at high risk.

The Node Package Manager (NPM) ecosystem suffered its biggest supply chain attack to date, as first reported by Bleeping Computer (BC). Hackers embedded malware into popular JavaScript libraries, which users download billions of times each week..

The attackers used fake NPM support emails to send package maintainers false alerts, prompting them to update their two-factor authentication.

Josh Junon (qix), a targeted maintainer, confirmed the phishing attack, stating it came from a fake domain, ‘npmjs[.]help.’ Attackers introduced harmful code into three widely used packages, which together receive more than 2.6 billion weekly downloads: chalk, strip-ansi, and debug.

CoinTelegraph explains that the malware acts as a crypto-clipper, monitoring web browser transactions for cryptocurrency addresses and replacing them with attacker-controlled addresses.

“The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations,” explained Charlie Eriksen from Aikido Security, as reported by BC.

He added, “What makes it dangerous is that it operates at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”

CoinTelegraph notes that the attack specifically targets users who installed or updated compromised packages through web-based applications. Developers using pinned older versions remain protected, but software wallet users who rely on one latest software wallets face the greatest danger.

Hardware wallets requiring manual transaction verification offer the strongest security protection.

BC says that NPM has removed some malicious versions, including the debug package, downloaded 357.6 million times per week. Security experts advise users to handle cryptocurrency transactions with care until all affected packages complete their full security update.

AI Agents Threaten Booking, Expedia, And Airbnb’s Business Models - 2

Image by Anete Lūsiņa, from Unsplash

AI Agents Threaten Booking, Expedia, And Airbnb’s Business Models

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Travel planning giants are embracing AI tools as AI agents are entering this field and threatening to bypass online platforms.

In a rush? Here are the quick facts:

  • Booking.com, Expedia, and Airbnb partner with OpenAI to integrate AI tools.
  • AI “agents” could bypass platforms, letting users book directly with hotels and airlines.
  • The $1.6 trillion travel market faces disruption from AI-powered automation.

The three major online travel platforms — Booking.com, Expedia, and Airbnb — are working to adapt to AI agents, which could bypass their role in the travel booking process, as reported in an analysis by the Financial Times (FT).

The $1.6 trillion global travel market faces transformation as OpenAI, Google, and Anthropic develop bots that operate as AI agents, designed to create personalized travel arrangements for users.

FT notes that Booking and Expedia have partnered with OpenAI to launch tools such as AI trip planners, while Airbnb has already introduced an AI-enabled customer service agent. Next year, Airbnb plans to add more “agentic” functions.

Glenn Fogel, CEO of Booking Holdings, said to FT: “We don’t have to do what OpenAI, Google, Grok or Meta are doing . . .[all of whom] are having to invest incredible amounts of money to build these models. Our belief is that as long as we . . . work closely with them that we will be able to participate in a way that provides a great return for our customers and our partners.”

Hotels see AI agents as beneficial because they reduce the 15–20% commission fees typically paid to online travel agencies. HOTREC, a European group, believes AI agents show strong potential to decrease OTA dependence but may create another dependency cycle.

Investors remain cautious. “There was a natural inclination and still is among investors that travel loses in an AI first world,” said Eric Sheridan, analyst at Goldman Sachs, as reported by the FT.

Airbnb chief Brian Chesky said its platform will become “more personalised and more agentic” in 2025: “It will not only tell you how to cancel your reservation, it will know which reservation you want to cancel,” as reported by the FT.

According to WIRED , new AI agents from OpenAI and Anthropic, including Operator and Computer Use, now generate customized itineraries based on user preferences

WIRED put the technology to the test by letting AI plan an entire vacation, from transport and accommodation to meals and activities. The experiment showed that while the tools are not flawless, the overall outcome was summed up with: “It wasn’t terrible.”

Still, AI travel agents have limitations. Researchers found OpenAI’s GPT-4 successfully handled complex travel planning just 0.6% of the time. “I am not foolish enough to say that I’m not worried about it,” admitted Fogel, as reported by the FT.

Indeed, AI systems fail to duplicate human emotional intelligence, and nuanced travel understanding which results in incorrect and absurd recommendations. In line with this Euro News gives the bizarre example of Microsoft AI guide’s suggestion of the Ottawa Food Bank as a top attraction.

Euro News points out that AI agents fail to handle complex itineraries, special dietary or mobility needs, and cannot negotiate or provide reassurance during travel disruptions.

Experts stress that AI should augment, not replace, human agents, as travellers still value personal connection, local knowledge, and tailored guidance over automated planning.