Open Source 2025-09-09 · 0 days ·Financial Exploitation

@coveops/abi shipped Qix wallet drainer

Part of the Qix phishing shipped wallet drainers campaign

JFrog listed @coveops/abi 2.0.1 among the September 2025 npm phishing follow-on packages. The malicious release carried the same browser wallet-drainer family as the wider Qix campaign.

Story

@coveops/abi was a follow-on package in the September 2025 npm phishing wave. JFrog identified version 2.0.1 as malicious after the first public attention had centered on the better-known Qix-maintained utility packages.

The package was not part of the original maintainer account set, which is why it is modeled separately. The trust boundary was still npm's official distribution path: a developer or build system resolving @coveops/abi to 2.0.1 received attacker-supplied JavaScript under the legitimate package name.

The payload family was aimed at browser-side cryptocurrency theft. Public advisories describe code that watched web3 transaction activity and attempted to redirect payments to attacker-controlled addresses. That made the package dangerous when bundled into front-end code or applications that touched wallet flows.

This record preserves the CoveOps package coordinate, hash, and one-day exposure window. The parent [[qix-npm-phishing-2025]] record carries the phishing path, shared wallet-drainer behavior, and larger npm campaign context.

Affected Artifacts

@coveops/abi

npm · Source Archive

Observed: 2025-09-09
Compromised Versions: 2.0.1
Fixed: Not listed
Evidence: distribution: npmjs.com/package/@coveops/abi/v/2.0.1

Incident Context

Motive: Financial Gain
Attribution: Group
Cause: Social Engineering
Transitive: No
Actor: Third Party

External References

New compromised packages identified in largest npm attack in historyjfrog.com
Qix npm package supply chain compromisethreats.wiz.io
Malicious code in @coveops/abiosv.dev

Source record: oss/attacks/coveops-abi/meta.yaml