Critical hack may put crypto funds at risk: Ledger CTO

A critical software hack may be putting crypto funds at risk, Ledger’s chief technology officer Charles Guillemet warned on Monday.

Hackers appear to have compromised the npm account of an unnamed developer who’s “well-known,” Guillemet said. 

The hackers slipped malicious code into a tiny but widely used JavaScript package called error-ex. That package has been downloaded more than one billion times and is embedded in countless apps and services.

The malware operates by silently monitoring for cryptocurrency activity. When a user tries to send Bitcoin, Ethereum, Solana, or other tokens, it swaps the destination wallet with one controlled by attackers. Victims may believe they are sending funds to a trusted address, but the money instead flows to malicious actors.

Security analysts warned that the code can hijack transactions at multiple layers — altering what websites display, changing background processes, and even tricking apps into misrepresenting what users are signing.

Guillemet advised hardware wallet owners to carefully confirm each transaction on the device’s screen before approving it. Because the hardware displays the true recipient address, diligent users can still spot tampering. For those using software wallets alone, he urged avoiding all on-chain transactions until the attack is better understood.

Researchers are describing the breach as possibly the largest open-source supply chain attack in history. It highlights the fragility of shared software libraries and the direct financial risk they can create in crypto.

This is a developing story.

This article was generated with the assistance of AI and reviewed by editor Jeffrey Albus before publication.

Get the news in your inbox. Explore Blockworks newsletters: