Ledger CTO Charles Guillemet: avoid crypto transactions, supply chain attack discovered

A widespread supply chain attack has been discovered, potentially tracking data from a crypto wallet and stealing assets on all chains. The npm library of a big and trusted account has been compromised, researchers announced. 

A widespread npm supply chain attack is potentially targeting the owners of the most common crypto wallets. Charles Guillemet, CTO of Ledger, warned users to avoid crypto transactions using common browser-based or desktop wallets, and only transact through hardware wallets with great caution. 

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

Researchers discovered one of the trusted JavaScript npm accounts was spreading packages with malicious code that was able to track and even divert crypto transactions. Soon after the attack, the maintainer reached out to the community via a Hackernoon profile to warn that the affected packages are still mostly compromised and yet to be replaced with safe versions.

The npm maintainer’s account is still not recovered, and was most probably stolen through social engineering and a fake 2FA process. GitHub users reported a suspicious email originating from npmjs support. 

The current event is viewed as the largest npm supply chain attack in history. More suppliers can be compromised if the emails manage to steal other accounts.

Large-scale supply chain attack targets software crypto wallets

In the past week, Cryptopolitan reported on two packages being compromised to steal crypto on Ethereum. 

The current attack is much larger – affecting a total of 18 highly popular npm packages, with 2B downloads in the past week. At this point, it is uncertain how many of the packages have spread through the JavaScript ecosystem. 

The supply chain attack is considered one of the biggest threats in the crypto space, potentially changing the destination of funds on the fly, despite the user seemingly signing the correct transaction. 

I would strongly recommend not signing any crypto transactions right now.

There is a huge supply chain attack on popular NPM packages that may have compromised various crypto websites (frontend, not the actual contracts).

It changes the destination address of transactions and…

— cygaar (@0xCygaar) September 8, 2025

Once again, the biggest threat is against software wallet users, reportedly affecting MetaMask, Trust Wallet, Exodus, and others. All npm packages have been disabled, but developers must return to their code to discontinue the usage of the flawed packages. 

Hours after the attack, Axiom and Jupiter DEX confirmed they did not use any of the flawed npm packages and trading can continue. Kamino also reported it has not deployed any flawed code.

Users urged to avoid signing transactions until developers give a green light

For now, it is considered improbable that the attacker is capable of stealing private seeds directly, as it would expose even bigger problems with wallet security. Currently, user wallets are safe unless they send out or sign a transaction. 

The address swap happens before signing, as the attacker uses similar-looking destination wallets. The addresses look almost similar, requiring a detailed letter-by-letter verification before signing. Usually, crypto users check only the first and last four digits, leaving them open to address swap attacks. 

However, there are also smart contracts and automated transactions. End users are advised to lock and disable all browser wallets and refrain from signing transactions. The news also did not break down Monday’s crypto rally. Additionally, on-chain detectives have not sent out warnings of big or unusual losses from individual wallets.

The attack can affect all apps in the Web3 and DeFi ecosystem. Currently, transactions continue on all chains. Researchers have taken a screengrab of potential destination wallets, some of which are still empty.