Major Cyber Attack Targets Crypto Users via Compromised NPM Packages

Ledger’s Chief Technology Officer, Charles Guillemet, issued a critical warning today urging users to exercise extreme caution due to a large-scale supply chain attack targeting the JavaScript ecosystem. The attack, which has compromised the Node Package Manager (NPM) account of a reputable developer, has potentially exposed millions of users to malicious code embedded in widely used software packages. With over one billion downloads of the affected packages, the entire JavaScript ecosystem, including numerous cryptocurrency platforms, faces significant risk. This incident underscores the growing sophistication of cyber threats in the crypto space and highlights the importance of robust security practices.

Guillemet’s warning, shared via a post on X, emphasized the severity of the attack, which involves malicious code capable of silently swapping cryptocurrency wallet addresses during transactions. This deceptive tactic redirects funds to attacker-controlled accounts, leaving users unaware that their transactions have been hijacked. The compromised packages, which include popular tools like chalk, debug, and strip-ansi, have been downloaded billions of times weekly, amplifying the potential impact across Web3 and DeFi applications. For now, Guillemet advises users of software wallets, such as MetaMask, Trust Wallet, and Exodus, to halt all on-chain transactions until the threat is fully mitigated.

How the Attack Works and What’s at Stake

The supply chain attack exploits the trust placed in open-source software by infiltrating the NPM account of a well-known developer, identified as Josh Goldberg, also known as “Qix.” Hackers gained access through a phishing campaign that used fraudulent emails impersonating NPM’s support team, tricking the maintainer into revealing credentials via a fake login page. Once compromised, the attackers published malicious updates to 18 widely used JavaScript packages, embedding code that intercepts and alters crypto transactions. This code targets users by detecting crypto wallet extensions like MetaMask through a window object and manipulates browser functions to swap legitimate wallet addresses with those controlled by the attackers.

The malicious payload operates across multiple blockchains, including Ethereum, Bitcoin, Bitcoin Cash, Solana, Litecoin, and Tron, making it a broad threat to the crypto ecosystem. By altering transaction data before it reaches the wallet for signing, the malware ensures that users unknowingly send funds to attackers, even when they believe they are interacting with trusted addresses. Security researchers have described the attack as operating on multiple layers, tampering with website displays, API calls, and app interactions, which makes it particularly difficult to detect. While NPM has disabled many of the compromised package versions, experts warn that transitive dependencies and cached code may still pose risks.

Guillemet stressed that users of hardware wallets, such as those produced by Ledger, are largely protected if they verify each transaction on their device’s secure screen before signing. Hardware wallets with clear signing features allow users to confirm the recipient address directly, mitigating the risk of address-swapping attacks. However, software wallet users face a higher risk, as the malware can manipulate transaction details without detection. Developers are urged to audit their projects, pin safe versions of dependencies, and rebuild lockfiles to ensure they are not using compromised code.

This attack follows a troubling trend of supply chain vulnerabilities in 2025, with similar incidents targeting JavaScript libraries earlier in the year. For instance, an attack last week exploited Ethereum smart contracts using NPM packages, while a March compromise impacted ten other NPM libraries. The scale of this latest attack, with over two billion downloads of the affected packages in the past week alone, marks it as one of the most severe in the JavaScript ecosystem’s history.

The compromised package maintainer has acknowledged the breach and is working with NPM’s security team to address the issue, with most malicious versions reportedly removed. However, the lingering uncertainty about the full scope of the attack, including whether attackers are also attempting to steal wallet seed phrases, has prompted widespread caution. Protocols within the Solana ecosystem, such as Drift, Solflare, and Kamino, have issued statements confirming that their codebases are unaffected, thanks to safeguards like version locking and thorough code reviews. Despite these assurances, the broader crypto community remains on high alert as developers and users work to contain the threat.