A significant supply chain attack is sending shockwaves through the crypto world, putting users worldwide at risk. Ledger’s CTO, Charles Guillemet, is raising the alarm, advising caution and recommending the use of hardware wallets.
The breach originated from a compromised Node Package Manager (NPM) account and has already impacted billions of downloads, threatening the security of millions of decentralized apps (dApps) and cryptocurrency transactions.
“The NPM account of a trusted developer has been hacked. The compromised packages have already been downloaded more than 1 billion times,” Guillemet cautioned.
Ledger CTO Charles Guillemet explained that the malware functions as a crypto clipper, secretly intercepting wallet addresses during transactions and redirecting funds to the attacker’s accounts. He stressed that users exercise extreme caution, particularly those not using hardware wallets.
“If you use a hardware wallet, verify every transaction before signing and you’re protected. If you don’t, avoid on-chain transactions for the time being,” Guillemet advised.
NPM Hack: How the Breach Occurred
Investigations revealed that 18 widely used NPM packages were compromised, including prominent libraries such as chalk, debug, and strip-ansi. The attack, which took place on September 8, is one of the largest in recent memory, affecting libraries with a combined total of over 2 billion weekly downloads.
The breach reportedly began with a phishing email posing as official NPM support, targeting Qix-, a reputable developer. The attackers gained access to Qix-’s NPM account, allowing them to inject malicious updates into popular JavaScript packages.
Once installed, the malware silently swaps copied crypto addresses with lookalike addresses controlled by the hacker. Using Levenshtein distance logic, this trick deceives users into sending funds to the wrong accounts.
Researchers have identified one primary wallet associated with the attack, while flagging several other wallets suspected to be connected.
Ledger’s Charles Guillemet noted that it remains unclear whether the attacker is directly targeting software wallet seeds at this stage. However, recent findings reveal the extent of the impact. Researcher Rani Haddad labeled the attacker’s wallets on Arkham as the entity “NPM attack.” According to the data, the attacker had stolen $497.96 at the time of reporting.
While the immediate financial impact remains relatively small, the potential scale of the damage is significant given the widespread use of the compromised packages.
Community Response and Precautions
Several projects and protocols, including Uniswap, SUI, and Jupiter, confirmed they were not affected but urged users to remain vigilant. Crypto wallet providers like Ledger and MetaMask reassured users about their multi-layered security measures.
The NPM supply chain breach was not the only major security incident on September 8. Swiss crypto wealth platform SwissBorg disclosed a $41 million exploit through a partner API, impacting 1% of its users. Meanwhile, Ethereum L2 project Kinto announced its closure after a July exploit drained 577 ETH, leaving the team unable to secure further funding.
These events underscore the growing sophistication of threats in the crypto space. Moving forward, users, developers, and platforms must adopt stricter security practices and conduct thorough audits of software packages.
