Ledger CTO warns of massive supply attack targeting crypto users

A widespread supply chain attack has been discovered, potentially tracking data from a crypto wallet and stealing assets on all ￰0￱ npm library of a big and trusted account has been compromised, researchers announced. A widespread npm supply chain attack is potentially targeting the owners of the most common crypto ￰1￱ Guillemet, CTO of Ledger, warned users to avoid crypto transactions using common browser-based or desktop wallets, and only transact through hardware wallets with great caution. 🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been ￰2￱ affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at ￰3￱ malicious payload works… — Charles Guillemet (@P3b7_) September 8, 2025 Researchers discovered one of the trusted JavaScript npm accounts was spreading packages with malicious code that was able to track and even divert crypto ￰4￱ after the attack, the maintainer reached out to the community via a Hackernoon profile to warn that the affected packages are still mostly compromised and yet to be replaced with safe ￰5￱ npm maintainer’s account is still not recovered, and was most probably stolen through social engineering and a fake 2FA ￰6￱ users reported a suspicious email originating from npmjs ￰7￱ of the JavaScript npm maintainers received a fake support email, leading to a compromised account and malicious crypto-stealing code injection into JavaScript packages. |).

It changes the destination address of transactions and… — cygaar (@0xCygaar) September 8, 2025 Once again, the biggest threat is against software wallet users, reportedly affecting MetaMask, Trust Wallet, Exodus, and ￰8￱ npm packages have been disabled, but developers must return to their code to discontinue the usage of the flawed ￰9￱ urged to avoid signing transactions until developers give a green light For now, it is considered improbable that the attacker is capable of stealing private seeds directly, as it would expose even bigger problems with wallet security. Currently, user wallets are safe unless they send out or sign a ￰10￱ address swap happens before signing, as the attacker uses similar-looking destination ￰11￱ addresses look almost similar, requiring a detailed letter-by-letter verification before signing.

Usually, crypto users check only the first and last four digits, leaving them open to address swap attacks. However, there are also smart contracts and automated ￰12￱ users are advised to lock and disable all browser wallets and refrain from signing ￰13￱ news also did not break down Monday’s crypto rally. Additionally, on-chain detectives have not sent out warnings of big or unusual losses from individual ￰14￱ attack can affect all apps in the Web3 and DeFi ecosystem. Currently, transactions continue on all ￰15￱ have taken a screengrab of potential destination wallets , some of which are still ￰16￱ you're reading this, you’re already ￰17￱ there with our newsletter .