Crypto Firms Assess Fallout From Massive Supply Chain Security Breach

Crypto firms are racing to assess potential fallout after reports of a large-scale supply chain attack that compromised a widely used software library, sparking fears across the industry.

Ledger chief technology officer Charles Guillemet issued an urgent warning on Monday, urging users to pause onchain transactions. He said a malicious payload had been planted in JavaScript packages downloaded more than one billion times, a scale that could threaten the entire ecosystem.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk,” Guillemet posted on X. He added that the malware silently swaps crypto addresses on the fly to steal funds.

Developer Duped By Fake Lockout Alerts, Credentials Stolen In NPM Hack

The attack stemmed from the compromise of the NPM account of Josh Junon, known in the open-source community as “qix.” Hackers sent phishing emails that mimicked the official npmjs.com domain, warning of an imminent account lockout.

𝗤𝗶𝘅 𝗻𝗽𝗺 𝗔𝗰𝗰𝗼𝘂𝗻𝘁 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲: 𝗛𝗲𝗿𝗲'𝘀 𝗮 𝗳𝘂𝗹𝗹 𝗮𝗻𝗮𝗹𝘆𝘀𝗶𝘀 𝗼𝗻 𝘄𝗵𝗮𝘁 𝗵𝗮𝗽𝗽𝗲𝗻𝗲𝗱 𝗮𝗻𝗱 𝗵𝗼𝘄 𝘁𝗼 𝘀𝘁𝗮𝘆 𝘀𝗮𝗳𝗲.

𝗪𝗵𝗮𝘁 𝗛𝗮𝗽𝗽𝗲𝗻𝗲𝗱?

𝗧𝗵𝗲 𝗕𝗮𝘀𝗶𝗰 𝗦𝘁𝗼𝗿𝘆: A hacker sent a fake email to Josh Junon (known as… pic.twitter.com/zgNzieKbZA

— BIG JO | A Phone and A Dream 2025 📱 🐐 (@__BigJo) September 8, 2025

The messages tricked Junon into clicking links that redirected to a fake login page where his credentials were harvested.

Junon later confirmed on GitHub and Bluesky that he had been duped. “Sorry everyone, I should have paid more attention,” he wrote, adding that it had been a stressful week and promising to help clean up the incident.

Some industry voices have suggested it could be the largest supply chain attack ever recorded.

📢 Important Notice 📢@OKX is not affected by the NPM supply-chain incident. Security is our top priority and we've confirmed that we have no exposure to the compromised code.

• OKX Mobile App: No exposure – built on native iOS and Android frameworks.
• OKX Plug-Ins, Web… pic.twitter.com/fryWPJDclw

— OKX Wallet (@wallet) September 9, 2025

Uniswap, MetaMask And Others Say They Were Not Impacted By The Breach

The malware is designed to intercept cryptocurrency transactions on blockchains such as Ethereum, Bitcoin, Solana and Tron. It specifically threatens software wallets, decentralized applications and web-based interfaces that integrate the compromised packages. By silently substituting recipient addresses, attackers can redirect funds without the user noticing until it is too late.

Companies moved quickly to reassure customers. Uniswap, Morpho, MetaMask, OKX Wallet, Sui and Aave all said they had not been affected by the breach.

Since the malicious code was live for about two hours before NPM security teams intervened, some applications likely integrated the compromised versions during that window. However, blockchain monitors said the attacker has not yet received stolen funds.

Junon also acknowledged inadvertently authorizing a reset of the two-factor authentication on his account, giving intruders further control. That lapse, combined with the phishing scheme, opened the door to the attack.

While cleanup efforts are under way, the breach has raised new questions about the resilience of open-source infrastructure underpinning much of the crypto economy. The event also shows how a single compromised developer account can ripple across a global ecosystem.