Charles Guillemet, chief technology officer at Ledger, warned on Monday that a major supply chain attack is underway after a trusted developer’s NPM account was taken over. The compromised packages, Guillemet said, already have more than 1,000,000,000 downloads.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

The injected code quietly swaps crypto wallet addresses in transactions, so people can end up sending funds to the attacker without knowing how it happened.

How does the attack work?

Guillemet explained that the attacker added code to popular JavaScript packages. Those packages are used by developers across many projects. 

When an app or wallet uses the tainted package, the code can change the address in a transaction. The user thinks they are sending to the right address. In fact, the money goes to the attacker.

This method targets the software supply chain. It uses a trusted developer account as an entry point. Once the account is compromised, attackers can push malicious updates that reach many projects fast.

Who is at risk?

Any decentralised app or software wallet that includes the affected JavaScript packages may be exposed. Guillemet warned that the problem crosses blockchains, and if a wallet or dapp calls the infected code, users could lose funds. 

He urged users and developers to assume that widely used packages may be unsafe until checks are done.

Also Read: OpenSea Data Hack Exposes 7M User Emails, Security Risk Looms

Ledger’s advice

Guillemet said the most reliable protection is a hardware wallet with a secure screen that supports Clear Signing. With a secure screen, users can view the exact address on the device before they approve a transaction. 

That makes it much harder for malicious code to trick someone. He added that hardware wallets without secure displays and any wallet that does not support Clear Signing face a higher risk. He told users to verify transactions and to avoid blind signing.

Ledger also said its devices were not at risk from this particular ecosystem-wide attack. The company said its hardware shows the real address on a protected screen before signing.

Ledger devices are not and have not been at risk during an ecosystem-wide software supply chain attack that was discovered.

Ledger devices are built specifically to protect users against attacks like these.

Only Ledger devices have secure screens, powered by the Secure Element… https://t.co/cJO2w0dpmU

— Ledger (@Ledger) September 8, 2025

 

Ledger said users’ private keys and recovery phrases remain safe. The company encouraged users to check transaction details on the device every time.

Reactions from the wider industry

CZ, the CEO of Binance, noted that open-source software is no longer automatically safe. He said the incident shows Web 3 will push different security demands on older Web 2 tools. He called the field still early and evolving.

Even open-source software is not safe these days.

Web 3 will redefine security for Web 2.

We are still early.

— CZ 🔶 BNB (@cz_binance) September 8, 2025

MetaMask responded by saying its products include several lines of defence. The company said it locks versions, uses manual and automated checks, and keeps a careful release process.

As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today.

MetaMask has multiple layers of defense to protect our products and users:

– Basic Security: We lock our versions, don't push directly to main, have manual and automated…

— MetaMask 🦊 (@MetaMask) September 8, 2025

MetaMask also said it uses tools that limit what malicious code can do and services that flag risky addresses quickly. The team told users there is no need to panic, and that they work to keep apps and accounts safe.

Reports suggest attackers also targeted other package maintainers and developers with phishing messages sent to the same email. Those who received the messages said the attackers tried to trick them into revealing access.

NPM has yet to respond to any of this, but it appears at least `debug`'s malicious package version has been yanked.I contacted @porkbun.com about the phishing domain and called support to have it escalated.Nothing I can do but sit and wait right now. Sorry folks.

— Josh Junon (@bad-at-computer.bsky.social) 2025-09-08T16:33:06.040Z

Context and past attacks

Security observers compare this breach to earlier supply chain thefts. In 2025, attackers linked to North Korea were blamed for draining more than $1,500,000,000 from crypto platforms. 

Chainalysis has said the Lazarus Group was behind over $3,000,000,000 in crypto theft between 2017 and 2025. Those campaigns often rely on compromising trusted developer tools or accounts.

Such incidents demonstrate the severe consequences of even the smallest lapses in developer security. With one compromised account, the attacker can inject malignant code into multiple projects simultaneously. This can result in immediate damage to the entire crypto ecosystem. 

Developers should conduct audits of their dependencies and determine the authorship of the respective components. They need to investigate the changes and ensure the updates are real. 

This incident is a reminder that code supply chains can be weak points. The cryptocurrency community relies heavily on open-source tools, making careful checks and device-level verification critical. 

For now, users and teams should assume risk, verify every transaction on a secure screen, and treat any unexpected update with caution.

Also Read: Sequoia Capital’s Roelof Botha Hit in Coinbase Data Hack, Personal Data Exposed