Ledger CTO Warns of Major Supply Chain Attack Targeting JavaScript Ecosystem
Ledger CTO Charles Guillemet has warned of a large-scale supply chain attack on the open-source Node Package Manager (NPM) ecosystem, where malicious code has been inserted into packages downloaded over one billion times.
The attack works by silently swapping crypto addresses to steal funds, and it exploits trusted distribution channels, making end-users vulnerable even if their personal systems are not compromised.
The compromise was a result of a phishing attack that tricked developers into clicking malicious links, and security experts are advising caution until the full scope of the attack is determined.

Ledger’s CTO, Charles Guillemet, issued a warning about what he described as a large-scale supply chain attack targeting the open-source ecosystem.

In a post to X on Monday, Guillemet said the Node Package Manager (NPM) account of a reputable developer had been compromised, with the attacker inserting malicious code into widely used packages that have been downloaded more than one billion times.

The malicious payload works by silently swapping crypto addresses on the fly to steal funds. If you use a hardware wallet, pay attention to every transaction before signing and you’re safe.

Charles Guillermet, CTO at Ledger

The exploit allows hackers to alter destination wallet addresses during transactions, redirecting funds without user awareness. Guillemet did not disclose which developer account was breached.

Related: Chainlink CEO Meets SEC, Signals Shift Toward On-Chain Asset Compliance

GCR contributor 0x_ultra reported that widely used packages such as Chalk, with over 2 billion weekly downloads, had been compromised and could “steal all your private keys.” 

The package maintainer confirmed the account compromise, stating that attackers used phishing emails impersonating the npmjs.com domain and threatening account lockouts to trick maintainers into clicking malicious links.

fellow devs, its fully over

chalk and projects with it as dependency (2b+ weekly downloads) have been pwned

packages which total 2B+ weekly downloads are compromised and stealing all your private keys pic.twitter.com/DntayqT42m

— ultra (@0x_ultra) September 8, 2025

The Systemic Risks of Open-Source Software

NPM is basically a backbone for JavaScript development, with code libraries integrated into countless websites and applications, including crypto platforms. A compromise at the package level can spread vulnerabilities across the entire industry.

Supply chain attacks differ from direct hacks of user accounts or wallets. Instead, they exploit trusted distribution channels, meaning end users can be exposed even if their personal systems remain uncompromised.

The tactic is similar to methods used in past incidents, such as the North Korea-linked exploit earlier this year that drained US$1.5B from Bybit by hijacking trusted systems to reroute funds.

At this point, it’s better to wait, as security experts have warned that until the full scope of the NPM compromise is identified, both developers and crypto users could be at risk.

Related: U.S., India Lead Global Crypto Adoption as APAC Transaction Volume Soars 69%

The post Ledger CTO Warns of Major Supply Chain Attack Targeting JavaScript Ecosystem appeared first on Crypto News Australia.

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: Bitcoin - @ September 9, 2025 5:08 am