Ledger CTO Charles Guillemet has sounded the alarm on a major supply chain attack targeting the JavaScript ecosystem.
The exploit comes after a reputable developer’s NPM account was compromised, pushing malicious code into widely used packages with over 1 billion downloads.
On X, Guillemet wrote:
“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
Malicious Payload Swaps Crypto Addresses
The injected payload is designed to silently replace crypto addresses during transactions. If a user pastes or inputs a wallet address, the code swaps it with the attacker’s address—stealing funds without the victim realizing.
NPM has already disabled the compromised versions, but Guillemet cautions that risks may remain, especially on frontend applications still relying on cached or unpatched code.
He advised:
- Hardware wallet users should double-check every transaction before signing.
- Software wallet users should pause all on-chain activity until further clarity.
At this stage, it’s not clear if the attacker is also harvesting seed phrases from software wallets.
Solana Ecosystem Responds
The attack has triggered responses across the Solana ecosystem. Protocols and wallets quickly issued statements clarifying their exposure—or lack thereof.
Drift Protocol
Solana-based Drift Protocol
Drift confirms that Drift’s SDK and UI are not affected by the large-scale NPM supply chain attack.
None of the compromised packages were identified in Drift’s codebase.
For the safety of the community, Drift advises users to temporarily refrain from signing transactions until…
— Drift (@DriftProtocol) September 8, 2025
confirmed that both its SDK and UI remain unaffected. The team advised users to stay alert when signing any transactions until wallets fully confirm safety.
Solflare Wallet
Popular Solana wallet Solflare
Solflare users are not at risk ✅
We enforce version locking to protect from supply-chain attacks. Minor versions get bumped and merged only after a thorough code review.
Security is our #1 priority.
Stay safe 🟨⬛️ https://t.co/MSYDegKeIO— Solflare – The Solana Wallet (@solflare) September 8, 2025
said its users are not at risk. The team pointed to safeguards like version locking and thorough code reviews before merging updates. Minor version changes are never pushed without review.
Kamino Finance
Kamino Finance co-founder @y2kappa
Confirming the Kamino app does not have a dependency on the affected packages. https://t.co/FVj0KyAMX4
— Marius | Kamino (@y2kappa) September 8, 2025
responded, confirming Solana’s leading lending protocol is not exposed. The Kamino app has no dependency on the compromised NPM packages.
Marinade Finance
Staking giant Marinade Finance
We are monitoring the ongoing NPM supply chain attack.
After double-checking our systems, Marinade is not affected. Still, we advise everyone to stay vigilant as the situation unfolds.
We’ll continue to track this closely and keep the community updated. https://t.co/8CRq9rFZtt
— Marinade 🛡️ (@MarinadeFinance) September 8, 2025
said it is monitoring the situation closely. Initial checks show no impact, but the team urged users to remain vigilant as details unfold.
Jupiter Exchange
Solana’s top DEX aggregator Jupiter Exchange
Regarding the recent NPM supply-chain attack:
Both Jupiter and Jup Mobile users are completely unaffected by the vulnerability.
We’ve confirmed across the source code that none of the affected package-versions exist in any Jupiter product.
Users are safe ✅ https://t.co/6Gee2mcN97
— Jupiter (🐱, 🐐) (@JupiterExchange) September 8, 2025
confirmed it is safe. Neither the Jupiter web app nor Jup Mobile relies on the compromised versions.
Supply Chain Attacks: A Growing Risk
This incident highlights the fragility of open-source ecosystems. With NPM packages embedded across thousands of projects, a single compromised account can spread malicious code to millions of users overnight.
The risk is amplified in crypto, where address swaps can directly drain wallets. Unlike traditional hacks, supply chain attacks exploit trust in widely used libraries, slipping past most developers and security tools.
What Users Should Do
Guillemet’s advice is clear:
- Hardware wallets remain the safest option. Always verify the transaction address on the device before approving.
- Software wallet users should avoid sending transactions until updates confirm no deeper compromise.
- Developers should review package dependencies and ensure they are not pulling from compromised versions.
As of now, the attack appears contained, with NPM disabling malicious versions. But questions remain. Is the attacker only hijacking addresses—or also attempting to exfiltrate seeds from software wallets? The answer could determine whether this is an inconvenience for careless users or a catastrophic breach across the industry.
For now, caution is the rule. Guillemet’s warning underscores how even one compromised developer account can threaten an entire ecosystem. With over 1 billion downloads at risk, this NPM attack may go down as one of the most significant supply chain compromises in recent memory.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!