Ledger’s Chief Technology Officer, Charles Guillemet, issued a strong warning on Monday, urging some users to temporarily stop on-chain transactions. The alert comes after a massive supply chain attack compromised a trusted developer’s NPM account, affecting packages that have been downloaded over 1 billion times.
“There’s a large-scale supply chain attack in progress,” Guillemet said in a post on X. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now.”
How the Attack Works
Supply chain attacks target the software distribution process, not individual users. Here, hackers acquired the NPM account of a developer ‘qix’.
They allegedly inserted malicious code, which replaces cryptocurrency addresses automatically, deceiving users to send money to the attacker, rather than the receiver. This method is similar to tactics used by North Korean hackers to steal $1.5 billion from the crypto exchange Bybit earlier this year.
Crypto developers quickly noticed the attack. @0x_ultra shared that packages like Chalk, with over 2 billion weekly downloads, were compromised and could steal private keys.
The impacted developer verified the attack, saying that phishing emails that pretended to be NPM threatened to lock accounts of maintainers to tempt them to visit rogue websites. However, at the time of reporting, the attacker only managed to steal $498.
What Users Should Do
The compromised packages were reportedly patched around 15:15 UTC. However, websites and apps that updated dependencies recently might still be at risk.
Further, Uniswap, Metamask, Ledger, OKX Wallet, Sui, Aave and Morpho have stated that they were “not affected” by the NPM supply chain attack.
Guillemet also reassured users that those using hardware wallets with clear signing are safe. Developers are encouraged to verify all the dependencies and make sure that they are not using the compromised versions.
This attack is being described as possibly the biggest supply chain attack in history, and it is a reminder of the increasing risks in the software ecosystem and the role of security in crypto transactions.
Also Read: SwissBorg Crypto Platform Loses $41M Solana in Major Security Breach
