September 8, 2025 — A massive supply-chain attack is currently unfolding, compromising critical JavaScript packages used across the crypto ecosystem and potentially putting billions in digital assets at risk.
What’s Happening?
Ledger CTO Charles Guillemet has raised the alarm on X, revealing that a reputable developer’s NPM account has been compromised, resulting in the distribution of malicious code through widely used JavaScript packages—some with over 1 billion downloads.
The injected malware operates by silently swapping cryptocurrency wallet addresses during transactions, redirecting funds to attacker-controlled wallets without the user’s awareness.
Impact & Reach
The attack targets the JavaScript ecosystem at large, affecting decentralized apps, web wallets, and developer tools across multiple blockchains—including Ethereum, Solana, Bitcoin, and more.
One report notes that 18 high-impact NPM packages have been compromised, collectively receiving billions of downloads weekly.
What Experts Are Saying
Guillemet advises that software wallet users are at highest risk and recommends pausing all on-chain transactions until the threat is remediated.
In contrast, users relying on hardware wallets with secure screens and Clear Signing (capabilities found in Ledger devices) are considered safer—provided they explicitly verify every transaction before signing.
Developer voices, including pseudonymous figures like 0xngmi and 0xCygaar, reinforce the warning:
“I would strongly recommend not signing any crypto transactions right now.”
Others note that the attack may still be in flux and urge caution even as remediation efforts advance.
How the Attack Happened
Initial access was gained through a phishing campaign targeting NPM maintainers, using fraudulent emails that falsely demanded two-factor authentication updates before a fake expiration date (September 10, 2025).
Once attackers gained control of the developer account, they injected the “crypto-clipper” malware into legitimate packages, turning supply-chain dependencies into exploit vectors.
What You Should Do Now
User TypeRecommended ActionHardware Wallet UsersOnly sign transactions after careful visual verification of recipient addresses using devices with Clear Signing capabilities. Software Wallet UsersRefrain from making any on-chain transactions until the affected packages are confirmed clean. Developers / Crypto PlatformsAudit dependencies immediately, pin vulnerable packages to safe versions, and avoid auto-updating. General UsersWatch for updates from wallet providers and trusted crypto platforms. Major names like MetaMask, Uniswap, and Aave have reported being unaffected—but vigilance remains key.
Final Thoughts
This event marks what many security experts call the largest supply-chain attack in crypto history — a stark reminder of the fragility of open-source dependencies and the devastating potential of phishing campaigns. If you manage crypto funds—or build the infrastructure that supports it—now is the time to stay alert, double-check everything, and lean on hardware wallets where possible.
