Ledger’s Chief Technology Officer Charles Guillemet has sounded an alarm over what he described as one of the most serious supply chain attacks ever to hit the JavaScript ecosystem.
Ledger Issues Urgent Warning
On Monday, Ledger CTO Guillemet posted on X that the npm account of a reputable open-source maintainer had been compromised, leading to malicious updates across widely used software libraries.
He wrote,
“There’s a large-scale supply chain attack in progress… the entire JavaScript ecosystem may be at risk.”
He stressed that hardware wallet users remain secure if they verify every transaction, but advised all others to stop conducting blockchain transactions temporarily.
Malicious Updates to Widely Used Packages
The breach occurred on September 8 when hackers gained access to the npm account of Josh Goldberg, known as “Qix.” Attackers published corrupted versions of 18 packages, including chalk, debug, strip-ansi, and color-convert, which collectively account for more than 2.6 billion weekly downloads and are embedded in core developer tools like Babel and ESLint.
Researchers discovered that the injected code carried “crypto-clipper” malware designed to intercept browser functions. The payload swaps legitimate wallet addresses with attacker-controlled ones and, in some cases, hijacks wallet communications to modify transactions before signatures are applied. The malware was first detected after a build error revealed hidden obfuscated code.
Sophisticated Attack Strategy
Analysis showed the malware was engineered with dual tactics: passively replacing wallet addresses with lookalikes, while actively intercepting and altering transactions on browser-based wallets such as MetaMask. This layered approach allowed attackers to redirect funds seamlessly, often without users realizing.
Investigations suggest the breach originated from a phishing attack on npm maintainers. Fraudulent emails, posing as official npm security notices, instructed recipients to update two-factor authentication or risk account suspension. Victims who followed the link were directed to a fake login page, allowing attackers to seize credentials and infiltrate Goldberg’s account.
Once inside, the attackers distributed malicious versions of the core packages, effectively weaponizing software tools relied upon by millions. Security firm Aikido noted that the code functioned as a browser interceptor, capable of rewriting payment destinations, altering API calls, and tampering with website content.
Ongoing Fallout and Industry Concerns
Although npm has removed many of the compromised versions, security experts warn that hidden transitive dependencies make it difficult to fully contain the attack. Developers are being urged to audit projects, pin known-safe package versions, and rebuild lockfiles immediately.
The incident underscores the fragility of the open-source ecosystem, which depends heavily on trust between maintainers and developers. With wallet addresses linked to stolen funds already surfacing on-chain, researchers are calling the attack one of the most severe in the history of the JavaScript ecosystem.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice