Ledger’s chief technology officer issued an urgent warning on Monday after discovering what he described as a large-scale supply chain attack targeting the global JavaScript ecosystem, raising concerns for cryptocurrency users worldwide.
Charles Guillemet, CTO of the Paris-based hardware wallet maker, said in a post to X that a trusted developer’s NPM account had been compromised. Malicious packages linked to the account have already been downloaded more than a billion times, potentially exposing countless websites, apps and crypto projects.
NPM (Node Package Manager) is the world’s largest software registry, with more than 2.1 million packages and over 100 billion downloads every month, making it a prime target for attackers seeking broad impact.
“There’s a large-scale supply chain attack in progress,” Guillemet wrote. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any onchain transactions for now.”
Attack Method and Scope
According to Guillemet and other developers, the injected malicious code silently swaps cryptocurrency addresses, redirecting funds to attackers during transactions. Independent security researcher @0xCygaar described it as a “supply chain attack affecting the NPM account of a reputable developer,” while another, @0x_ultra, said that major JavaScript packages with billions of weekly downloads had been compromised.
Such “dependency hijacking” attacks have precedent: in 2021, researchers documented incidents where attackers injected malicious code into widely used NPM packages like ua-parser-js, coa, and rc, each with millions of weekly downloads. Those breaches briefly affected companies including Microsoft, Apple, and Slack.
The package maintainer later confirmed the breach, noting that phishing emails impersonating npmjs.com were used to hijack credentials. Attackers reportedly threatened account suspensions to trick maintainers into clicking malicious links. This method mirrors tactics used in the 2020 SolarWinds attack, in which hackers inserted backdoors into software updates affecting 18,000 customers, including U.S. government agencies.
While compromised versions were disabled by NPM around 15:15 UTC, developers have been advised to review all recent dependency updates. “If your app did an npm update in the last few hours you might still be at risk,” @0xCygaar said. NPM’s parent company, GitHub (owned by Microsoft), has pledged to accelerate mandatory two-factor authentication (2FA) for all maintainers by the end of 2025 to mitigate similar risks.
Hardware Wallets Seen as Safe
Ledger stressed that users employing hardware wallets with clear signing features remain protected. “If you use a Ledger or hardware wallet with clear signing, you are not at risk,” Guillemet said. Ledger, founded in 2014, has sold more than 6 million hardware wallets globally and secures an estimated 20% of the world’s crypto assets, according to company data. Its devices are designed to isolate private keys from potentially compromised software environments.
Hackers in recent years have increasingly exploited trusted development tools to infiltrate the broader ecosystem, with the latest breach drawing comparisons to North Korean-linked attacks that drained more than $1.5 billion from crypto platforms earlier in 2025.
According to Chainalysis, North Korea-linked Lazarus Group was responsible for over $3 billion in crypto thefts between 2017 and 2025, often relying on similar supply chain or developer-targeted exploits.
