“Avoid On-Chain Transactions”: Ledger CTO Issues Urgent Warning After JavaScript Attack

A large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further ￰2￱ September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and ￰3￱ utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm ￰4￱ Uncover Crypto-Clipper Malware Hidden in Popular npm Libraries Yep, I've been pwned. 2FA reset email, looked very ￰5￱ NPM affected.

I've sent an email off to@npmjs. bsky. social to see if I can get access ￰6￱ everyone, I should have paid more ￰7￱ like me; have had a stressful ￰8￱ work to get this cleaned up. — Josh Junon (@bad-at-computer. bsky.

social) 2025-09-08T15:15:45.497Z Security researchers quickly found that the new versions contained a “crypto-clipper” ￰9￱ payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ￰10￱ some cases, the malware actively hijacks wallet communications, modifying transactions before they are ￰11￱ attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated ￰12￱ showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect ￰13￱ scale of the attack is ￰14￱ such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.

Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users ￰15￱ a post on X , Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote. There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been ￰16￱ affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at ￰17￱ malicious payload works… — Charles Guillemet (@P3b7_) September 8, 2025 “If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed ￰18￱ attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support ￰19￱ fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September ￰20￱ the link redirected victims to a fake login page designed to steal ￰21￱ in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of ￰22￱ Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without alerting ￰23￱ has since removed many of the compromised versions, but security experts warn that transitive dependencies make it difficult to ensure complete ￰24￱ are being urged to immediately audit their projects, pin safe versions of dependencies, and rebuild ￰25￱ attack shows the fragility of the open-source ecosystem, which relies heavily on trust between maintainers and ￰26￱ billions of downloads affected and active wallet addresses linked to stolen funds already surfacing on-chain, researchers are describing the incident as one of the most severe supply chain compromises in the JavaScript ecosystem’s ￰27￱ Hacks Surge Past $3B in 2025 as Phishing and Laundering Tactics Escalate The crypto sector is facing its most severe security crisis yet, with hackers stealing over $3 billion across 119 incidents in the first half of 2025, according to new data from blockchain analytics firm Global ￰28￱ are stealing more crypto and moving it ￰29￱ laundering process took only 2 minutes 57 ￰30￱ the industry cope? #CryptoSecurity #Web3 #Blockchain #DeFi ￰0￱ — ￰31￱ (@cryptonews) August 12, 2025 The figure is one and a half times greater than total losses in 2024, placing the industry on track to break annual ￰32￱ report shows the speed of these attacks as a new ￰33￱ some cases, stolen funds were moved within four seconds of an exploit, far faster than most exchange alert ￰34￱ 70% of hacks saw funds moved before the breach became public, while one in four had assets fully laundered before any statement or alert was ￰35￱ average, it takes 37 hours for an incident to be publicly reported, leaving investigators trailing attackers who often cash out within ￰36￱ 4.2% of stolen assets, around $126 million, were recovered in the first six months of the ￰37￱ incidents underline the scale of the ￰38￱ July, hackers infiltrated Brazil’s national payment system through provider C&M Software, stealing about $180 million from reserve accounts and quickly routing funds through crypto ￰39￱ June, hardware wallet maker Trezor warned of a phishing exploit that abused its customer support system to send fake emails requesting wallet backups. @Trezor issues urgent alert after hackers exploited support form to send phishing emails requesting wallet backups, part of industry-wide attack wave targeting trusted platforms. #Cryptohack #Trezor ￰1￱ — ￰40￱ (@cryptonews) June 23, 2025 Around the same time, CoinMarketCap and Cointelegraph suffered front-end compromises that pushed phishing pop-ups and fake airdrop promotions to ￰41￱ the surge in attacks, bug bounty programs continue to show ￰42￱ like Immunefi report more than $120 million in payouts to white-hat hackers , preventing an estimated $25 billion in potential ￰43￱ with laundering times now measured in seconds, analysts warn the industry’s defenses are struggling to keep pace.