Charles Guillemet, Director of Technology at Hardware Wallet Maker Ledger, warned Monday that Monday that a large -scale supply chain attack on Monday is underway after the compromise of a node package manager of a famous developer (Npm) account.
According to Guillemet, the malicious code – already pushed into packages with more than a billion downloads – is designed to silently exchange the addresses of cryptographic wallet in transactions. This means that users without mistrust could send funds directly to the attacker without realizing it.
Guillemet did not appoint the developer he said.
The incident highlights how deeply interconnected and why security loss in developer tools can be deeply interconnected in the economy of cryptography.
🚨 There is a large -scale supply chain attack ongoing: the account of the NPM of a renowned developer has been compromised. The affected packages have already been downloaded more than a billion times, which means that the entire JavaScript ecosystem can be at risk.
The malicious payload works …
– Charles Guillemet (@ p3b7_) September 8, 2025
“NPM is a tool commonly used in the development of software using JavaScript, which facilitates the integration of packages for developers,” Guillemet said in a message to Coindesk. When an attacker compromises the account of a developer, he can slide malware into widely used packages.
“The malicious code tries to drain users by exchanging addresses used in the transaction or general activity on the chain and replacing them with the address of the pirate,” added Guillemet.
Guillemet stressed that if a portfolio of decentralized application or software on a blockchain includes these JavaScript packages, they could be compromised and crypto users could therefore lose their funds.
“The only sure way to fight this is to use a hardware portfolio with a secure screen that supports clear signature,” Guillemet told Coindesk. “This will allow the user to see exactly the addresses that the funds are sent and ensure that they correspond to the provided addresses.”
“Material portfolios without secure screens and any portfolio that does not support clear signature is at high risk because it is impossible to check with precision that the details of the transaction are correct,” he added.
“This is an opportunity to remind everyone: always check your transactions, never sign to report, use a hardware wallet with a secure screen and sign everything,” said Guillemet.
Read more: Leadger CTO tackles the criticism of the new portfolio recovery service
