Ledger’s CTO, Charles Guillemet, recently released a new statement about the NPM attack targeting popular software that has been downloaded over 1 billion times.
Guillemet stated that the attack was unsuccessful and “virtually no victims were affected.” He explained that the attack began with a phishing email sent from a fake npm support domain, which allowed the attackers to steal developer credentials and release malicious package updates.
The malicious code targeted web cryptocurrency activity, attempting to interfere with transactions on Ethereum, Solana, and other chains. Specifically, it attempted to steal user funds by directly manipulating wallet addresses in network responses. However, the attack was detected early and its impact was limited when errors caused crashes in CI/CD (continuous integration and continuous delivery) processes.
Guillemet pointed out that assets held in software wallets and exchanges are at great risk and issued the following warning:
“If your funds are sitting in a software wallet or exchange, you can lose everything with a single code execution. Supply chain attacks continue to be a powerful malware spreading method.”
Ledger CTO reminded that hardware wallets are safer against such threats and argued that security features such as Clear Signing and Transaction Checks show the user suspicious activities.
*This is not investment advice.