This week has once again shown that supply chain and operational security are among the weakest links in blockchain security and are increasingly being targeted by bad actors. While so much focus is spent on smart contract exploits or protocol bugs, human and infrastructure vectors keep proving to be fertile ground for attackers.

NPM Package / Developer Compromise

One major incident involved the Node Package Manager (NPM). A single developer account was compromised, which allowed attackers to inject malicious code into widely used NPM packages (cumulatively downloaded over 2 billion times).

In this particular case, the malicious code modified Ethereum and Solana transactions created by wallets to send funds to the attacker's address before being signed by the user.

Whilst the impact seems limited so far, the exploit highlights the danger of library dependencies in Web3 and software in general. The exploit appears to have hinged on an individual operational security weakness, potentially a lack of strong authentication or multi-factor authentication (MFA), illustrating how one compromised developer can cascade through the software supply chain.

Swissborg / Kiln API Exploit

Another major incident: Swissborg, a crypto-wealth management platform, lost approximately 192,600 SOL (about US$41 million) via an exploit of its staking partner Kiln’s API.

(https://rekt.news/swissborg-rekt)

• The exploit targeted Kiln’s API, which Swissborg used for its Solana Earn program. Whilst details have not been made public, it appears that a compromised API gave attackers the ability to send unauthorized withdrawal requests.

• In response, Kiln initiated an “orderly exit” of its Ethereum validators (a precaution to protect client assets) while they harden infrastructure.

Broader Implications & Weaknesses

These events reinforce a few recurring themes:

• Human / Operational security is often more fragile than code. Things like compromised credentials, weak authentication, or misconfigured permissions are cheaper and (for attackers) more reliable than tricky protocol bugs.

• The Supply chain risk is far greater than most projects realize. It includes software dependencies, APIs, vendor relationships, infrastructure providers, staking partners, etc. If your supply chain partner is weak, your risk is exposed.

• Weak individual operational security seems to be a common thread.

Operational and supply chain security must be elevated in priority to the same level as smart contract audits. A flawless contract won’t save you if attackers get in through weak developer practices, compromised dependencies, or sloppy key management.

That’s why we run dedicated Operational Security (OpSec) training: short, practical sessions designed for both technical and non-technical team members. Our workshops help teams recognize real-world attack paths, tighten their workflows, and reduce the risk of human error.

Upcoming sessions:

• 45-minute seminar for non-technical Web3 team members — Oct 2, 4pm CET

• 2.5-hour deep dive OpSec seminar — Oct 7, 3pm CET

Sign up here to receive the streaming link and updates!

Follow us on Twitter, book a slot, or request an audit on our website.