Charles Guillemet, director of Hardware Technology Wallet Maker Ledger, warned in X on Monday that a large -scale supply chain attack is being carried out after the commitment of an administrator of developer node packages of good reputation (NPM) account.
According to Guillemet, the malicious code, already pushed to the packages with more than one billion downloads, is designed to silently exchange the cryptographic wallet addresses in transactions. That means that unsuspecting users could send funds directly to the attacker without realizing it.
Guillemet did not appoint the developer whose account, he said, was compromised.
The incident underlines how deeply interconnected is the open source software and why safety lapses in developer tools can cheat in the cryptographic economy almost instantly.
🚨 There is a large -scale supply chain attack in progress: the NPM account of an accredited developer has been compromised. Affected packages have already been downloaded for a billion times, which means that the entire JavaScript ecosystem may be at risk.
Malicious payload works …
– Charles Guillemet (@p3b7_) September 8, 2025
“NPM is a tool commonly used in software development using JavaScript, which facilitates the integration of packages for developers,” Guillemet said in a message to Coindesk. When an attacker compromises a developer’s account, he can slide a malicious code in widely used packages.
“The malicious code tries to drain users by exchanging addresses used in transactions or general activity in the chain and replace them with the hacker address,” Guillemet added.
Guillemet emphasized that if any decentralized application or software wallet in any blockchain includes these JavaScript packages, then they could be compromised and, therefore, cryptography users could lose their funds.
“The only safe way to combat this is to use a hardware wallet with a safe screen admitted to Clara firm,” Guillemet told Coindesk. “This will allow the user to see exactly what addresses are funds being sent and make sure they coincide with the planned addresses.”
“Hardware wallets without safe screens and any wallet that does not admit the clear firm is high risk, since it is impossible to accurately verify the details of the transaction are correct,” he added.
“It is an opportunity to remind everyone: always verify their transactions, never follow a blind sign, use a hardware wallet with a safe screen and clear to sign everything,” Guillemet said.
Read more: the CTO LEDger addresses the criticism of the new wallet recovery service
