Charles Guillemet, CTO at hardware wallet maker Ledger, warned on social media that a large-scale NPM supply-chain attack is underway after a reputable developer’s Node Package Manager account was compromised. The malicious code has been pushed into packages that together have been downloaded more than 1 billion times, potentially exposing the entire JavaScript ecosystem.
According to Guillemet, the payload silently swaps cryptocurrency wallet addresses in transaction flows and on-chain interactions, replacing intended recipients with the attacker’s address so users can unknowingly send funds to hackers. He did not name the affected developer. NPM is widely used to share JavaScript libraries, meaning a backdoored package can propagate quickly across decentralized apps and software wallets.
This attack puts any application that imports the affected packages at risk. Users could lose funds if transaction details are altered before signing. Guillemet emphasized practical defenses: use a hardware wallet with a secure screen that supports Clear Signing, never blind-sign transactions, and always verify recipient addresses on-device before approving.
What to do now: audit dependencies, update packages only from trusted sources, and prioritize wallets that allow on-device verification of addresses. For readers managing significant assets, treating this as an immediate security event is prudent.
Source: CoinDesk. Read the original coverage for full details.
