Recommended

#BTCCOGWEEK: Celebrate the Classics of Meme Coins
Crypto Deposit Make instant crypto transfers to your futures account
USDT-M Perpetual Futures Trade futures contracts settled in USDT
VIP Fee Discounts Enjoy different fee discounts based on your VIP level
Coin-M Perpetual Futures Trade futures contracts settled in cryptocurrency
Fiat Deposit Buy your favourite coins in seconds
Affiliates Invite friends & get rewarded
Convert Covert your crypto instantly
Support Centre Find our FAQs here
Announcements Find all our official announcements
BTCC Academy Learn about blockchain and crypto
News The latest trends in the crypto market

Promotions

Referral
Campaigns
Assets
Crypto Deposit
Fiat Deposit
Convert
Transfer
Withdraw
My vouchers
Fund history
Dashboard
Account Security
Identity verification
API Management
Transaction Report
Log out
Register
BTCC / BTCC Square / CointribuneEN /
Ledger CTO Sounds Alarm: NPM Supply-Chain Attack Puts Crypto Security at Immediate Risk

Ledger CTO Sounds Alarm: NPM Supply-Chain Attack Puts Crypto Security at Immediate Risk

Author:
CointribuneEN
Published:
2025-09-09 13:05:00
6
2

BREAKING: Digital asset security faces critical threat as malicious actors infiltrate developer infrastructure.

THE VULNERABILITY

Ledger's Chief Technology Officer issues urgent warning about compromised NPM packages targeting cryptocurrency developers. The supply-chain attack embeds malicious code into commonly used libraries—bypassing traditional security measures and putting wallet security at direct risk.

INDUSTRY IMPACT

This breach exposes the fragile underbelly of crypto infrastructure—where billions in digital assets depend on open-source components maintained by often-underfunded developers. The attack vector demonstrates how easily trust in critical financial infrastructure can be compromised.

SECURITY RESPONSE

Ledger's team immediately notified major exchanges and wallet providers while working with NPM to remove malicious packages. The CTO emphasizes this isn't just a Ledger problem—it's an ecosystem-wide threat requiring coordinated response from all major players.

Wake-up call: While traditional finance spends millions on security audits, crypto's open-source ethos sometimes means trusting anonymous packages with your life savings—until reality bites with a nine-figure hack.

Ledger CTO points urgently at a screen displaying a shadowy NPM digital threat targeting a crypto wallet.

In brief

  • Hackers took over a reputable NPM developer account, triggering a supply-chain breach that put the JavaScript community at risk.
  • Over 1 billion downloads of compromised packages raised fears of widespread exposure across the entire ecosystem.
  • Ledger CTO Charles Guillemet advised verifying every transaction and using hardware wallets with secure displays for protection.

NPM Breach Raises Concerns for Wallet Safety

Charles Guillemet, chief technology officer at Ledger, revealed the extent of the threat. He reported that a major NPM account had been hijacked and that affected packages had already been downloaded over one billion times. Given this reach, he said the entire JavaScript ecosystem could be exposed. The malicious code worked silently, switching cryptocurrency addresses in real time to divert funds to attackers.

Guillemet urged caution. He explained that users of hardware wallets remain SAFE if they carefully verify every transaction before approving. For those relying on software wallets, he recommended avoiding on-chain transactions until the situation becomes clearer. He also noted that it is still uncertain whether the attackers are directly attempting to extract recovery seeds from software wallets.

Developer Confirms Account Takeover

The maintainer at the center of the breach, Josh Junon, confirmed that his NPM account had been compromised. In a post on Bluesky, he explained that the takeover resulted from a phishing campaign. The attackers had set up a fake domain, ‘support [at] npmjs [dot]’ help, designed to resemble the official npmjs.com site.

Maintainers received threatening emails claiming their accounts WOULD be locked on September 10, 2025. These messages included links that redirected to phishing sites designed to steal credentials. The fake email claimed:

To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.

Other developers soon reported being targeted in the same way, confirming the phishing scheme reached beyond a single maintainer.

NPM Breach Response and Technical Breakdown

The NPM team acted quickly once the breach was detected, moving to take down the malicious versions uploaded by the attackers. Among those removed was a release of the debug package, which is downloaded hundreds of millions of times each week—estimated at around 357 million.

Further analysis was conducted by Aikido Security, and the investigation revealed the following:

  • Attackers added malicious code into index.js files of hijacked packages. This acted as a browser interceptor, hijacking traffic and targeting crypto users.
  • The malware embedded in browsers and hooked into functions like fetch, XMLHttpRequest, and wallet APIs such as window.ethereum and Solana, giving it access to web and wallet activity.
  • Once active, it scanned data for wallet addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. Detected addresses were swapped with attacker-controlled ones, often made to look similar.
  • It altered transaction details before signing, changing recipients, approvals, or allowances while the interface appeared normal, sending funds to attackers.
  • To stay hidden, it avoided visible changes when a wallet was present, instead running quietly in the background and manipulating real transactions.

Call for Stronger Precautions

In comments to CoinDesk, Guillemet warned that decentralized applications or software wallets including the compromised packages may not be secure, leaving crypto users at risk of losing funds. He emphasised that the most reliable safeguard is a hardware wallet with a secure display that supports Clear Signing.

This approach allows users to verify the address and details of each transaction directly on the device’s screen, ensuring that what they approve matches their intention.

He added that the situation serves as a strong reminder of essential practices: “always verify your transactions, never blind sign.” He also advised the use of a hardware wallet with a secure display to help ensure safety.

Maximize your Cointribune experience with our "Read to Earn" program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.


|Square

Get the BTCC app to start your crypto journey

Download on the App Store GEI IT ON Google Play

Get started today Scan to join our 100M+ users

Exchange for a better future

Products
Services
Guides
About Us
Terms & Agreement
Customer Service
Social Media

Risk warning: Digital asset trading is an emerging industry with bright prospects, but it also comes with huge risks as it is a new market. The risk is especially high in leveraged trading since leverage magnifies profits and amplifies risks at the same time. Please make sure you have a thorough understanding of the industry, the leveraged trading models, and the rules of trading before opening a position. Additionally, we strongly recommend that you identify your risk tolerance and only accept the risks you are willing to take. All trading involves risks, so you must be cautious when entering the market.

The world’s longest-running cryptocurrency exchange since 2011 © 2011 - 2025 BTCC.com. All rights reserved