Crypto faced a serious security scare this week. Ledger’s CTO, Charles Guillemet, revealed that a large-scale supply chain attack targeted the JavaScript ecosystem through compromised NPM packages. These packages had been downloaded more than a billion times, raising alarms across the industry.
The malicious code worked by silently swapping crypto wallet addresses on the fly. In practice, this meant users could send funds to the wrong wallet without realizing it. According to Guillemet, people using hardware wallets were safe, since they could see and verify the final transaction before signing. But those relying on software wallets or exchanges were at greater risk.
How the Attack Happened
The attack began with a phishing email sent to a developer. The fake email, disguised as support from npm, tricked the victim into giving up credentials. This gave attackers access to publish malicious updates to widely used packages.
The injected code was designed to hook into crypto activity across multiple chains, including Ethereum and Solana. It attempted to hijack transactions by replacing wallet addresses inside network responses.
Luckily, the attackers made mistakes. The malicious updates caused crashes in CI/CD pipelines, which led to early detection. As a result, the attack failed with almost no victims. Still, it highlighted how fragile supply chains can be in the software world.
This incident shows just how dangerous supply chain compromises can be. Even one developer account being compromised can potentially expose millions of users. For crypto holders, it is another reminder that funds stored in hot wallets or exchanges are never completely safe.
As Guillemet explained: “If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything.”
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
— Charles Guillemet (@P3b7_) September 8, 2025
The malicious payload works…
How to Stay Safe
There are steps everyone can take to protect themselves:
- Always use a hardware wallet when possible. Hardware wallets like Ledger are built to keep private keys safe even if your computer is compromised.
- Check every transaction before signing. Even with a hardware wallet, you should carefully read the wallet address, amount, and network before approving.
- Beware of phishing emails. Most attacks begin with social engineering. Never click suspicious links or share credentials.
- Use Clear Signing features. This lets you see exactly what you’re approving on your device screen, making it harder for attackers to trick you.
- Stay updated. Keep an eye on official alerts from wallet providers and security researchers.
The immediate danger from this attack has passed, but the threat is not gone. Supply chain attacks remain one of the most powerful ways to deliver malware, and attackers are only getting more creative.
Read also: Here’s How XRP Price Can Hit $3.60 This Week
Subscribe to our YouTube channel for daily crypto updates, market insights, and expert analysis.
