Ledger CTO Alerts Users to NPM Supply-Chain Breach Threatening Crypto Security

A large-scale supply chain breach has rattled the open-source community after hackers compromised the Node Package Manager (NPM) account of a reputable developer. Widely used packages were affected, sparking major concerns across the JavaScript ecosystem.

NPM Breach Raises Concerns for Wallet Safety

Charles Guillemet, chief technology officer at Ledger, revealed the extent of the threat. He reported that a major NPM account had been hijacked and that affected packages had already been downloaded over one billion times. Given this reach, he said the entire JavaScript ecosystem could be exposed. The malicious code worked silently, switching cryptocurrency addresses in real time to divert funds to attackers.

Guillemet urged caution. He explained that users of hardware wallets remain safe if they carefully verify every transaction before approving. For those relying on software wallets, he recommended avoiding on-chain transactions until the situation becomes clearer. He also noted that it is still uncertain whether the attackers are directly attempting to extract recovery seeds from software wallets.

Developer Confirms Account Takeover

The maintainer at the center of the breach, Josh Junon, confirmed that his NPM account had been compromised. In a post on Bluesky, he explained that the takeover resulted from a phishing campaign . The attackers had set up a fake domain, ‘support [at] npmjs [dot]’ help, designed to resemble the official npmjs.com site.

Maintainers received threatening emails claiming their accounts would be locked on September 10, 2025. These messages included links that redirected to phishing sites designed to steal credentials. The fake email claimed:

To maintain the security and integrity of your account, we kindly ask that you complete this update at your earliest convenience. Please note that accounts with outdated 2FA credentials will be temporarily locked starting September 10, 2025, to prevent unauthorized access.

Other developers soon reported being targeted in the same way, confirming the phishing scheme reached beyond a single maintainer.

NPM Breach Response and Technical Breakdown

The NPM team acted quickly once the breach was detected, moving to take down the malicious versions uploaded by the attackers. Among those removed was a release of the debug package, which is downloaded hundreds of millions of times each week—estimated at around 357 million.

Further analysis was conducted by Aikido Security, and the investigation revealed the following:

• Attackers added malicious code into index.js files of hijacked packages. This acted as a browser interceptor, hijacking traffic and targeting crypto users.
• The malware embedded in browsers and hooked into functions like fetch, XMLHttpRequest, and wallet APIs such as window.ethereum and Solana, giving it access to web and wallet activity.
• Once active, it scanned data for wallet addresses across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. Detected addresses were swapped with attacker-controlled ones, often made to look similar.
• It altered transaction details before signing, changing recipients, approvals, or allowances while the interface appeared normal, sending funds to attackers.
• To stay hidden, it avoided visible changes when a wallet was present, instead running quietly in the background and manipulating real transactions.

Call for Stronger Precautions

In comments to CoinDesk, Guillemet warned that decentralized applications or software wallets including the compromised packages may not be secure, leaving crypto users at risk of losing funds . He emphasised that the most reliable safeguard is a hardware wallet with a secure display that supports Clear Signing.

This approach allows users to verify the address and details of each transaction directly on the device’s screen, ensuring that what they approve matches their intention.

He added that the situation serves as a strong reminder of essential practices: “always verify your transactions, never blind sign.” He also advised the use of a hardware wallet with a secure display to help ensure safety.