JavaScript Packages Hijacked in Sophisticated Supply Chain Attack; Ledger Issues Urgent Crypto Security Alert
Another day, another crypto security nightmare—because who needs sleep when you've got digital assets to protect?
Supply Chain Sabotage Exposed
Malicious actors compromised multiple JavaScript packages, injecting code that targets cryptocurrency wallets and sensitive data. The attack leverages trusted development tools to bypass traditional security measures, hitting developers right in their workflow.
Ledger's Stark Warning
The hardware wallet giant urges immediate caution with all crypto interactions. Update your dependencies, verify every transaction, and maybe reconsider that "trust but verify" approach—just verify everything.
Because nothing says "financial revolution" like having to double-check every line of code before your life savings disappear into some hacker's pocket.
TLDR
- A trusted developer’s NPM account was hacked, affecting JavaScript packages with over 1B downloads.
-
Ledger CTO urges users without hardware wallets to stop onchain transactions for now.
-
Malicious code swaps crypto addresses silently to divert funds to attackers.
-
Some compromised packages have now been patched, but risks may still exist for updated apps.
Ledger’s Chief Technology Officer Charles Guillemet issued a public warning about a major supply chain attack. The issue stems from the compromise of an NPM account belonging to a widely respected JavaScript developer.
The affected packages have reportedly been downloaded over one billion times. This scale has led to fears that countless websites and applications, particularly crypto-related ones, could be at risk. According to Guillemet, the malicious code is designed to silently replace wallet addresses, redirecting funds to the attacker.
“This is a large-scale supply chain attack,” Guillemet posted on X. “The entire JavaScript ecosystem may be affected.”
Users Urged to Pause Onchain Transactions
Guillemet strongly recommended users without hardware wallets to pause all onchain transactions for the time being. He emphasized that users who rely on hardware wallets with clear signing are generally secure, provided they carefully verify each transaction.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he said. “If you don’t, refrain from making any on-chain transactions for now.”
Other developers, such as @0xCygaar and GCR’s 0x_ultra, echoed the concerns, describing it as a potentially historic supply chain breach. “Projects with dependencies totaling 2 billion+ weekly downloads are compromised,” 0x_ultra said.
Malicious Code and Phishing Campaign Revealed
The attack appears to have started with a phishing campaign. The package maintainer confirmed their NPM account was compromised after clicking a phishing link.
The email came from a fake domain that imitated npmjs.com and falsely warned of an upcoming account lock on September 10, 2025.
Once the attacker gained access, they injected code that alters wallet addresses during transactions, effectively stealing crypto assets. Similar tactics were used in the earlier Bybit hack attributed to North Korean actors, where over $1.5 billion was stolen.
Patches Released, But Developers Still on Alert
According to @0x_ultra, some of the compromised packages were patched by 15:15 UTC on the day of the breach. However, security experts caution that risks remain.
Projects that automatically updated dependencies may still include malicious code in their latest versions.
Ledger and other crypto security teams recommend developers audit all recent updates and review dependencies manually. Guillemet reaffirmed the importance of using hardware wallets, noting that clear-signing capabilities offer a LAYER of protection against these kinds of attacks.
