Share this article
Ledger CTO Warns of NPM Supply-Chain Attack Hitting 1B+ Downloads
According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto wallet addresses in transactions. That means unsuspecting users could send funds directly to the attacker without realizing it.
Sep 8, 2025, 7:29 p.m.
What to know:
- Charles Guillemet, chief technology officer at hardware wallet maker Ledger, warned on X on Monday that a large-scale supply chain attack is underway after the compromise of a reputable developer’s Node Package Manager (NPM) account.
- According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto wallet addresses in transactions. That means unsuspecting users could send funds directly to the attacker without realizing it.
Charles Guillemet, chief technology officer at hardware wallet maker Ledger, warned on X on Monday that a large-scale supply chain attack is underway after the compromise of a reputable developer’s Node Package Manager (NPM) account.
According to Guillemet, the malicious code — already pushed into packages with over 1 billion downloads — is designed to silently swap crypto wallet addresses in transactions. That means unsuspecting users could send funds directly to the attacker without realizing it.
STORY CONTINUES BELOW
Guillemet did not name the developer whose account he said was compromised.
The incident underscores how deeply interconnected open-source software is and why security lapses in developer tools can ripple into the crypto economy almost instantly.
Loading...
“NPM is a tool commonly used in software development using JavaScript, which makes integrating packages easy for developers,” said Guillemet in a message to CoinDesk. When an attacker compromises a developer’s account, they can slip malicious code into widely used packages.
“The malicious code attempts to drain users by swapping addresses used in transaction or general on-chain activity and replacing them with the hacker’s address,” Guillemet added.
Guillemet stressed that if any decentralized application or software wallet across any blockchain includes these JavaScript packages, then they could be compromised, and crypto users could therefore lose their funds.
“The only sure way to combat this is to use a hardware wallet with a secure screen that supports Clear Signing,” said Guillemet to CoinDesk. “This will allow the user to see exactly which addresses funds are being sent to and ensure they match the intended addresses.”
"Hardware wallets without secure screens and any wallet that doesn't support Clear signing is at high risk as it is impossible to accurately verify the transaction details are correct," he added.
"It's an opportunity to remind everyone: always verify your transactions, never blind sign, use a hardware wallet with a secure screen, and Clear Sign everything," Guillemet said.
Read more: Ledger CTO Addresses Criticism of New Wallet Recovery Service
AI Disclaimer: Parts of this article were generated with the assistance from AI tools and reviewed by our editorial team to ensure accuracy and adherence to our standards. For more information, see CoinDesk's full AI Policy.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Solana’s Drift Launches v3, With 10x Faster Trades
With v3, the team says that about 85% of market orders will fill in under half a second, and liquidity will deepen enough to bring slippage on larger trades down to around 0.02%.
What to know:
- Drift, one of the largest perpetuals trading platforms on Solana, has launched Drift v3, a major upgrade meant to make on-chain trading feel as fast and smooth as using a centralized exchange.
- The new version will deliver 10-times faster trade execution thanks to a rebuilt backend, marking the largest performance jump the project has made so far.
Top Stories
