NPM Hack Puts 1 Billion Crypto Wallets At Risk As Ledger CTO Urges Users To Halt Transactions

2025/09/09 17:24

An NPM (Node Package Manager) supply chain attack has prompted Ledger Chief Technology Officer Charles Guillemet to urge crypto users to pause on-chain transactions.

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” Guillemet wrote on X. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”

His recommendation to not perform any on-chain transactions was mainly targeted at crypto community members who don’t use a hardware wallet. However, he did caution anyone who does use a hardware wallet to “pay attention to every transaction before signing” in order to stay safe.

Guilleme is one of many crypto developers that has issued the warning. According to GCr’s 0x_ultra, “Chalk and projects with it as a dependency (2 billion+ weekly downloads) have been pwned.” Developers are now stealing users’ private keys, subsequently gaining access to crypto wallets, the developer said.

The other packages that seem to be affected are strip-ansi and color-convert. Chalk and these packages are small utilities that are buried deep in the dependency trees in a vast number of projects.

How The NPM Attack Happened

NPM is the default package manager for Node.js, which is the runtime environment for the JavaScript programming language. It’s a crucial tool in the JavaScript ecosystem, and facilitates the management of software packages and their dependencies.

In simple terms, NPM is a large online registry that contains millions of open-source JavaScript packages and modules that any developer can use.

In the recent attack, a hacker or group of hackers managed to break into the NPM account of a well-known software developer and added malware to popular libraries that have already been downloaded over a billion times.

The malware is designed to insert the hacker’s wallet address when a crypto user is about to execute a transaction.

The package’s maintainer, whose accounts were compromised, confirmed the incident earlier today. In a BlueSky post, he said that he received a 2 factor authentication (2FA) email that “looked very legitimate,” but turned out to be a phishing email.

In the email, the attackers had threatened that his account would be locked on Sept. 10 as a scare tactic to get him to click a malicious link in the email that gave the attackers access to his NPM account.

NPM Breach Being Called The “Largest Supply Chain Attack Ever”

According to the X account Solid Intel, this attack is being called the “largest supply chain attack ever.”

Solid Intel post

NPM attack being called the largest-ever supply chain attack (Source: X)

The malware mainly affects the front end of crypto projects, which are usually written in JavaScript and not the actual backend smart contract addresses, according to X user “cygaar.”

Cygaar commented under his post, adding that it seems NPM has already disabled the compromised version of the affected packages.

While several crypto users are potentially at risk, popular wallet providers such as Ledger and MetaMask have marked their platforms as safe from the attack.

Phantom Wallet’s team also said that they do not use any vulnerable version of the affected packages, and UniSwap has noted that none of its apps are at risk either.

Other platforms, including Blockstream Jade, Revoke.cash, Aerodrom and Blast said that their platforms are unaffected by the attack as well.

NPM Hackers Have Only Stolen $500 So Far

Initially, the impact of the NPM attack seemed almost negligible, with reports that the hackers only stole $0.05 from the incident. However, there have since been reports that the amount has risen to $50. This suggests the full ramifications of the attack have not been felt yet.

Data from Etherscan, the blockchain explorer for the Ethereum blockchain, shows that the NPM exploiter’s address holds $492.19 as of 3:40 a.m. EST.

The address has received funds through seven tokens, two of which are non-fungible tokens (NFTs).

Those tokens include Condola, ANDY, Brett, Dork Lord and Ethervista, as well as NFT tokens Canna-Buddiez and Sausage. The address also holds 5 cents worth of ETH.

NPM exploiter's holdings

NFT exploiter’s token holdings (Source: Etherscan)

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact [email protected] for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

Share Insights