According to Charles Guillemet, chief technology officer at hardware wallet manufacturer Ledger, a large-scale supply chain attack recently hit the NPM (node package manager) ecosystem.
The attackers have inserted malicious code meant to stealthily swap cryptocurrency wallet addresses on the fly. In such a way, the potential victim of the attacker will inadvertently send funds to the wrong address.
According to Guillemet, it is unclear whether the code is also capable of extracting recovery seeds from compromised wallets.
card
It is worth noting that developers all over the globe rely on NPM packages for building websites. NPM is the most widely used package manager for JavaScript and TypeScript.
The scope of the attack
As noted by the Ledger CTO, the compromised packages have already been downloaded more than a billion times.
Of course, it does not mean they are at immediate risk of being hacked, but this shows the sheer scope of the supply chain attack since the malicious code is already embedded across various applications. Crypto wallets pose the biggest risk since the attackers are specifically manipulating addresses.
The attack is affecting various chains, including Ethereum and Solana.
0xCygaar, a purported AbstractChain contributor, claims that one should refrain from signing any crypto transactions as of now.
I would strongly recommend not signing any crypto transactions right now.There is a huge supply chain attack on popular NPM packages that may have compromised various crypto websites (frontend, not the actual contracts).It changes the destination address of transactions and…
— cygaar (@0xCygaar) September 8, 2025
Are Ledger users safe?
Guillemet has clarified that those who use hardware wallets with clear signing, like Ledger, are, in fact, not at risk. Such devices show the real transaction address on their screens.
The Ledge CTO has recommended that crypto users refrain from making on-chain transactions unless they are being performed via a hardware wallet.
