On Monday, September 8, 2025, at 11:37 PM EDT, the cryptocurrency world was jolted by a stark warning from Charles Guillemet, Chief Technology Officer of Ledger, who urged certain users to halt onchain transactions due to a potentially devastating cyberattack.
Guillemet’s announcement on X revealed a significant supply chain breach, stating that the NPM account of a well-regarded developer had been compromised.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
The affected software packages, downloaded over a billion times, pose a serious threat to the entire JavaScript ecosystem, which underpins much of the web, including numerous crypto-related platforms.
This incident has sparked concerns that it could be one of the most extensive supply chain attacks ever recorded, drawing parallels to past high-profile breaches.
Guillemet detailed that the malicious code embedded in these packages operates by silently substituting cryptocurrency addresses during transactions, effectively siphoning funds to the attacker without the user’s knowledge.
He advised that individuals using hardware wallets, such as Ledger’s, could safeguard their assets by meticulously reviewing each transaction before signing, thanks to features like Clear Signing.
However, for those relying on software wallets, he recommended an immediate pause on all onchain activities until the situation clarifies.
This guidance echoes a similar alert from @0xCygaar, who described the event as a supply chain attack targeting a trusted developer’s NPM account, amplifying the urgency within the crypto community.
A supply chain attack differs from traditional cyberattacks by infiltrating a trusted component of the software delivery process rather than directly targeting end users.
This method allows hackers to distribute malicious code through widely used tools, as seen in this case with NPM, a cornerstone of JavaScript development.
The breach’s scale is reminiscent of an August 2025 incident involving the Nx build system, where Wiz reported that compromised packages exposed thousands of enterprise credentials, leveraging AI tools to enhance data theft.
Similarly, the current attack’s use of phishing to gain access aligns with a recent case where a fake npm support email deceived a maintainer, as noted by Aikido on the same day.
The JavaScript ecosystem’s vulnerability has been laid bare, with over 2 billion weekly downloads of affected NPM packages highlighting the potential reach of the malware.
This situation mirrors the 2020 SolarWinds attack, which impacted thousands of organizations, though this event zeroes in on the open-source software community.
The malicious code’s ability to alter transaction addresses in real-time could affect multiple blockchains, including Ethereum and Bitcoin, a tactic also employed in an April 2025 attack involving the “pdf-to-office” package, which targeted Atomic Wallet and Exodus users to steal funds.
That earlier breach demonstrated how such malware could persist even after package removal, a concern now resurfacing.
Ledger’s emphasis on hardware wallets as a defense mechanism underscores a growing trend, with the company’s secure screen technology allowing users to verify addresses—a practice recommended after the Nx compromise.
The crypto community is responding with calls for dependency audits, a strategy gaining momentum following the late 2023 JetBrains vulnerability exploit, which led to widespread security reviews.
Ongoing investigations suggest the attacker may have used AI to refine the malware, a technique also observed in the Nx case, where sensitive data was systematically harvested.
As the situation unfolds, the incident serves as a reminder of the fragility of software supply chains and the critical need for proper security measures in the rapidly evolving digital landscape.
With the JavaScript ecosystem at risk, the coming days will be crucial for developers and users to mitigate the damage and hopefully gain back some trust.