Ledger Chief Technology Officer Charles Guillemet issued a critical warning on Monday when he recommended that some people temporarily cease onchain transactions in light of what appears to be a major cyber attack.
"There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk," Guillemet said in post to X. "If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now."
Guillemet's warning follows what @0xCygaar called a "supply chain attack currently affecting the NPM account of a reputable developer." Some have suggested the event could be "the largest supply chain attack ever."
A supply chain attack involves a hacker or hackers compromising a trusted part of the software distribution process rather than targeting individual users.
"The malicious payload works by silently swapping crypto addresses on the fly to steal funds,” Guillemet said.
In simple terms, it appears a hacker took over the account of a trusted software developer on NPM, a popular platform where developers share code for JavaScript projects. These compromised packages have allegedly been downloaded over a billion times, potentially affecting any number of websites and apps — including crypto projects.
As of now, it appears that the hacker was able to add code that changes cryptocurrency addresses in the background, thereby tricking users into sending money to the hacker instead of their intended recipient — not unlike how North Korean hackers were able to drain $1.5 billion in funds from crypto exchange Bybit earlier this year.
The Ledger executive is one of many crypto developers to notice the attack. GCR's 0x_ultra said that "Chalk and projects with it as dependency (2 billion+ weekly downloads) have been pwned ... packages which total 2 billion+ weekly downloads are compromised and stealing all your private keys."
The package maintainer, whose accounts were compromised in the supply-chain attack, confirmed the incident earlier today in a post on Bluesky.
"[H]e was aware of the compromise and adding that the phishing email came from ... a domain that hosts a website impersonating the legitimate npmjs.com domain," according to Bleeping Computer. "In the emails, the attackers threatened that the targeted maintainers' accounts would be locked on September 10th, 2025, as a scare tactic to get them to click on the link redirecting them to the phishing sites."
According to @0x_ultra, the packages appear to have been patched around 15:15 UTC, though others remain concerned that website frontends may still be vulnerable.
"If you use a Ledger or hardware wallet with clear signing, you are not at risk," Guillemet stressed.
"Looks like NPM disabled the compromised versions of these packages," said @0xCygaar. "However, if your app did an npm update in the last few hours you might still be at risk. Would highly recommend devs check all their dependencies."
