Crypto firms are racing to assess potential fallout after reports of a large-scale supply chain attack that compromised a widely used software library, sparking fears across the industry.
Ledger chief technology officer Charles Guillemet issued an urgent warning on Monday, urging users to pause onchain transactions. He said a malicious payload had been planted in JavaScript packages downloaded more than one billion times, a scale that could threaten the entire ecosystem.
The messages tricked Junon into clicking links that redirected to a fake login page where his credentials were harvested.
The attack stemmed from the compromise of the NPM account of Josh Junon, known in the open-source community as “qix.” Hackers sent phishing emails that mimicked the official npmjs.com domain, warning of an imminent account lockout.
It specifically threatens software wallets, decentralized applications and web-based interfaces that integrate the compromised packages. By silently substituting recipient addresses, attackers can redirect funds without the user noticing until it is too late.
The malware is designed to intercept cryptocurrency transactions on blockchains such as Ethereum, Bitcoin, Solana and Tron.
Since the malicious code was live for about two hours before NPM security teams intervened, some applications likely integrated the compromised versions during that window. However, blockchain monitors said the attacker has not yet received stolen funds.
Junon also acknowledged inadvertently authorizing a reset of the two-factor authentication on his account, giving intruders further control. That lapse, combined with the phishing scheme, opened the door to the attack.
Companies moved quickly to reassure customers. Uniswap, Morpho, MetaMask, OKX Wallet, Sui and Aave all said they had not been affected by the breach.
