Market News

Ledger CTO Warns Users Amid Massive NPM Supply Chain Attack

Hackers hit a trusted NPM account, adding malicious code to JavaScript packages downloaded over 1B times, risking crypto projects.

Written By Ronak Kumar Ronak Kumar
Fact Checked by Dhara Chavda Dhara Chavda
Make The Crypto Times preferred on Google
Ledger CTO Warns Users Amid Massive NPM Supply Chain Attack

Ledger’s Chief Technology Officer, Charles Guillemet, issued a strong warning on Monday, urging some users to temporarily stop on-chain transactions. The alert comes after a massive supply chain attack compromised a trusted developer’s NPM account, affecting packages that have been downloaded over 1 billion times.

“There’s a large-scale supply chain attack in progress,” Guillemet said in a post on X. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now.”

How the Attack Works

Supply chain attacks target the software distribution process, not individual users. Here, hackers acquired the NPM account of a developer ‘qix’.

They allegedly inserted malicious code, which replaces cryptocurrency addresses automatically, deceiving users to send money to the attacker, rather than the receiver. This method is similar to tactics used by North Korean hackers to steal $1.5 billion from the crypto exchange Bybit earlier this year.

Crypto developers quickly noticed the attack. @0x_ultra shared that packages like Chalk, with over 2 billion weekly downloads, were compromised and could steal private keys.

The impacted developer verified the attack, saying that phishing emails that pretended to be NPM threatened to lock accounts of maintainers to tempt them to visit rogue websites. However, at the time of reporting, the attacker only managed to steal $498.

What Users Should Do

The compromised packages were reportedly patched around 15:15 UTC. However, websites and apps that updated dependencies recently might still be at risk. 

Further, Uniswap, Metamask, Ledger, OKX Wallet, Sui, Aave and Morpho have stated that they were “not affected” by the NPM supply chain attack.

Guillemet also reassured users that those using hardware wallets with clear signing are safe. Developers are encouraged to verify all the dependencies and make sure that they are not using the compromised versions.

This attack is being described as possibly the biggest supply chain attack in history, and it is a reminder of the increasing risks in the software ecosystem and the role of security in crypto transactions.

Also Read: SwissBorg Crypto Platform Loses $41M Solana in Major Security Breach

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article
Ronak Kumar- Crypto Journalist at The Crypto Times
By Ronak Kumar
Follow:
Ronak Kumar is a Crypto Journalist with over 3 years of experience covering blockchain, AI, finance, and emerging digital trends. With a background in Commerce (B.Com) and a Postgraduate Diploma in Management (PGDM), he combines business insight with a clear understanding of the evolving crypto space. His reporting has been featured in major publications, with his work cited by NDTV, Hindustan Times, and Outlook India on topics like Trump Memecoin, Bhutan’s crypto mining, and Barron Trump’s digital presence.
Dhara Chavda
By Dhara Chavda
Follow:
Dhara Chavda is a Research Analyst at The Crypto Times. She covers U.S. crypto regulation — including the CLARITY Act and GENIUS Act — DeFi security and major protocol exploits, and investigations into crypto fraud and enforcement actions. Her work emphasizes primary sourcing and on-chain verification over secondary commentary. Dhara joined The Crypto Times in 2020 and has followed every major market cycle since — the 2021 bull run, the 2022 Terra and FTX collapses, the 2023 banking turmoil, the 2024 spot Bitcoin ETF launch, and the 2025–2026 regulatory cycle — first assigning and reviewing the desk's coverage, and now writing it herself. Her reporting has been cited by international outlets including TheStreet and Argentina's La Nación. She holds a Bachelor of Engineering in Computer Engineering from Gujarat Technological University (GTU), which informs her technical reporting on on-chain data, smart contract analysis, and protocol architecture.

Latest News

Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds
Polymarket Users Hit by $3M Frontend Exploit; Platform Vows Refunds
Europe’s Wealth Advisers Are Flying Blind on Client Crypto CoinShares
Europe’s Wealth Advisers Are Flying Blind on Client Crypto: CoinShares
Cardano Targets Mass Blockchain Adoption Through Brazil Push
Cardano Targets Mass Blockchain Adoption Through Brazil Push
How Europol Helped Freeze $47M in Crypto Tied to Cybercrime
How Europol Helped Freeze $47M in Crypto Tied to Cybercrime
Strategy’s STRC Hits Record Low, Raising Bitcoin Funding Risks
Strategy’s STRC Hits Record Low, Raising Bitcoin Funding Risks

Find Us on Socials

You may also like