news.bitcoin.com
Ledger CTO Charles Guillemet warned Monday that a large-scale software supply chain attack is underway targeting NPM packages used across the JavaScript ecosystem globally.
‘Potentially All Chains’: Ledger CTO Cautions After NPM Developer Account Hacked
Ledger‘s Guillemet said on X that a reputable developer’s NPM account was compromised and that affected packages have been downloaded more than 1 billion times, raising exposure concerns for developers.
“There’s a large-scale supply chain attack in progress … the entire JavaScript ecosystem may be at risk,” he wrote on X, adding that the malicious code “silently swaps crypto addresses on the fly to steal funds.”
He advised people who do not use a hardware wallet to refrain from making onchain transactions for now, and urged all users to review transaction details before signing. He said it remains unclear whether the attacker is stealing seed phrases from software wallets.
“For users of Ledger or other hardware wallets with clear signing, you are not at risk,” Guillemet added, emphasizing that clear signing and manual verification protect against address-swapping malware.
Separate security outlets also reported ongoing NPM account compromises affecting widely used packages, with some describing the campaign as one of the largest of its kind to date. Guillemet said the impact could span “potentially all chains.”