Although the direct financial effect is not that significant, the possible magnitude is immense considering the popularity of the affected packages.
Meanwhile, the NPM supply chain hack was not the only major security event on Sept. 8. Swiss crypto wealth platform SwissBorg reported a million exploit via a partner API, affecting 1% of users. Additionally, the Ethereum L2 project Kinto announced its shutdown after a July exploit drained 577 ETH, leaving the team unable to secure funding.
- Ledger CTO Charles Guillemet alerts users to a widespread JavaScript supply chain attack silently swapping crypto wallet addresses.
- 18 popular NPM packages were compromised. Libraries like chalk and debug were injected with malware after a developer’s account was hijacked.
- Just $497 stolen so far, but over 2 billion downloads means many dApps and wallets are potentially exposed.
- Protocols like Uniswap, Jupiter, and wallet providers like MetaMask have assured users that their funds are safe.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
He further explained that the malware operates as a crypto clipper, stealthily hijacking wallet addresses during transactions to redirect funds to the attacker’s wallets. Guillemet urged users to be extra cautious, especially those not using hardware wallets.
Summary
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now,” he advised.
NPM hack: How the breach happened
One main wallet address linked to the attack was highlighted by researchers, though they flagged additional wallets believed to be connected.
A major supply chain attack has rocked the crypto ecosystem, threatening users globally. Ledger’s CTO Charles Guillemet is sounding the alarm, urging caution and hardware wallet use.
The attack, which began with a hacked Node Package Manager (NPM) account, has already affected billions of downloads and endangered the security of millions of dApps and crypto transactions.
A number of projects and protocols, such as Uniswap, SUI, and Jupiter, have affirmed that they are not affected but have advised caution. Cryptocurrency wallets such as Ledger and MetaMask assured users of multi-layered security measures.
Once installed, the malicious payload silently replaces copied crypto addresses with lookalike ones controlled by the hacker. This technique, powered by Levenshtein distance logic, tricks unsuspecting users into sending funds to the wrong addresses.
The attack allegedly began with a phishing email impersonating official NPM support. The target was Qix-, a respected developer whose NPM account was hijacked, enabling attackers to inject malicious updates into popular JavaScript libraries.
Community response and prevention
This wave of attacks is an indicator of the increasing complexity of crypto threats. Going forward, users, developers, and platforms need to embrace more secure practices and rigorous package audits.
“The NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times,” Guillemet warned.
Reports revealed that 18 popular NPM packages were found to be compromised, including high-profile packages such as ‘chalk’, ‘debug’, and ‘strip-ansi.’ The attack, which happened on Sept 8, is among the largest in recent history, impacting libraries with a total of more than 2 billion weekly downloads.
