Now Reading: Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads
-
01
Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads
[ad_1]
Charles Guillemet, chief know-how officer at {hardware} pockets maker Ledger, warned on X on Monday {that a} large-scale provide chain assault is underway after the compromise of a good developer’s Node Package Manager (NPM) account.
According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto pockets addresses in transactions. That means unsuspecting customers may ship funds on to the attacker with out realizing it.
Guillemet didn’t title the developer whose account he mentioned was compromised.
The incident underscores how deeply interconnected open-source software program is and why safety lapses in developer instruments can ripple into the crypto economic system nearly immediately.
🚨 There’s a large-scale provide chain assault in progress: the NPM account of a good developer has been compromised. The affected packages have already been downloaded over 1 billion instances, that means the whole JavaScript ecosystem could also be in danger.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
“NPM is a tool commonly used in software development using JavaScript, which makes integrating packages easy for developers,” mentioned Guillemet in a message to CoinDesk. When an attacker compromises a developer’s account, they’ll slip malicious code into broadly used packages.
“The malicious code attempts to drain users by swapping addresses used in transaction or general on-chain activity and replacing them with the hacker’s address,” Guillemet added.
Guillemet harassed that if any decentralized software or software program pockets throughout any blockchain contains these JavaScript packages, then they could possibly be compromised, and crypto customers may due to this fact lose their funds.
“The only sure way to combat this is to use a hardware wallet with a secure screen that supports Clear Signing,” mentioned Guillemet to CoinDesk. “This will allow the user to see exactly which addresses funds are being sent to and ensure they match the intended addresses.”
“Hardware wallets without secure screens and any wallet that doesn’t support Clear signing is at high risk as it is impossible to accurately verify the transaction details are correct,” he added.
“It’s an opportunity to remind everyone: always verify your transactions, never blind sign, use a hardware wallet with a secure screen, and Clear Sign everything,” Guillemet mentioned.
Read extra: Ledger CTO Addresses Criticism of New Wallet Recovery Service
[ad_2]
