Crypto users have been urged to exercise extreme caution following the discovery of a massive supply chain attack targeting widely used JavaScript packages.
Ledger Chief Technology Officer Charles Guillemet issued a stark warning on Monday, advising users to temporarily halt onchain transactions amid fears that funds could be silently redirected to attackers.
A compromised NPM account
The attack centers on a compromised NPM account belonging to a reputable developer known as “qix.” NPM, a prominent package manager for JavaScript, hosts reusable code libraries that developers integrate into countless projects.
According to Guillemet, the affected packages have been downloaded over 1 billion times, meaning that a large portion of the JavaScript ecosystem — including websites, crypto applications, and wallets — could have been exposed to the malicious payload.
The malicious code is designed to swap cryptocurrency addresses on the fly, redirecting funds to the hacker while leaving users unaware.
Users operating across multiple blockchain networks could have their assets at risk.
While hardware wallet users are generally safe if they carefully verify each transaction before signing, those relying solely on software wallets face a far greater danger.
Developers scramble to mitigate damage
Immediately after the revelation, NPM disabled the compromised packages, but security experts caution that any application or project that performed updates while the packages were live could still be vulnerable.
Blockchain security researcher Cygaar and the firm Blockaid both emphasized the need for developers to audit all dependencies, noting that packages such as Chalk, color-name, and color-string were affected.
The attacker reportedly used phishing emails to compromise the developer’s account, including messages designed to look like they came from NPM itself.
The compromised packages were live for only a few hours, although the sheer scale of their distribution means that a significant number of applications may have integrated the malicious code before it was removed.
Crypto users advised to pause onchain transactions
While projects such as Loopscale on Solana and the Phantom wallet have confirmed they were not affected by the incident, Ledger and security experts alike are advising crypto users to refrain from sending or signing transactions until they are certain that their software dependencies are secure.
Guillemet stressed that hardware wallets remain a safer option because users have an opportunity to review and verify each transaction. Still, caution is paramount, as the attack highlights the potential for Web2 dependencies to compromise the security of blockchain systems.