A large-scale supply-chain attack on NPM packages is threatening crypto wallets and web-based dApps after a reputable developer account was compromised, security researchers and industry figures warned.
Ledger CTO Charles Guillemet flagged the incident on X, saying the exploit injects a malicious payload that can silently replace cryptocurrency addresses in browser-based transaction flows. According to researchers, the compromised packages were collectively downloaded more than 1 billion times, potentially exposing a wide range of JavaScript projects and crypto front-ends.
Blockchain security firm Blockaid and independent developers identified roughly two dozen affected libraries, including utilities such as color-name and color-string. The payload does not alter on-chain contracts but can change the destination address users see in a webpage before they approve a transaction — making it a dangerous frontend attack.
Security voices, including developer Cygaar, have advised users to stop signing transactions on web wallets and connected sites while teams clean up dependencies. NPM reportedly disabled the compromised packages after the compromise was disclosed, but developers are urged to audit project dependencies and lock versions to prevent automatic upgrades.
The NPM account tied to the incident — known as qix — was reportedly hijacked after an attacker used an email-based reset to bypass two-factor authentication. The account owner said they are cooperating with the NPM security team and that the malicious code has been removed from most affected pages.
This episode highlights how crypto products remain exposed to broader open-source and Web2 supply-chain risks. Users should be cautious, double-check transaction details, and prefer hardware or audited wallet apps when possible.
Source: Decrypt. Read the original coverage for full details.
