- A large attack hit JavaScript tools that are used by millions across crypto platforms.
- Ledger CTO advised users to check every transaction and to avoid blind signing.
- Developers were told to secure packages and stop auto-updates until fixes are complete.
A sweeping supply chain attack on the JavaScript ecosystem has rattled the crypto industry, exposing fragile dependencies across its infrastructure. On September 8, 2025, Ledger’s Chief Technology Officer, Charles Guillemet, confirmed that attackers had breached a reputable developer’s NPM (Node Package Manager) account. The compromised account allowed hackers to inject “crypto-clipper” malware into heavily used JavaScript packages.
These infected libraries, including chalk, debug, strip-ansi, and color-convert, collectively account for more than one billion downloads, showing the immense scale of exposure. According to Guillemet, the malicious code silently swaps crypto wallet addresses during transactions, sending funds to attacker-controlled accounts. This means unsuspecting users are able to complete transactions believing them legitimate while unknowingly losing assets.
The affected tools were anything but obscure. Libraries, such as Chalk and Debug, support numerous decentralized applications and crypto platforms and are, thus, intimately involved in the daily running of the ecosystem. A breach of these libraries signaled that one breach can quickly affect millions of wallets and applications.
Urgent Warnings from Ledger CTO
Guillemet did not name the developer whose account was compromised. Yet he made clear that the threat is extensive. “This is a large-scale supply chain attack. The entire JavaScript ecosystem may be affected,” he wrote in his official warning.
He stressed the importance of using hardware wallets with secure screens that support Clear Signing. “The only sure way to combat this is to use a hardware wallet with a secure screen that supports clear signing,” he said. “This will allow the user to see exactly which addresses funds are being sent to and ensure they match the intended addresses.”
He continued, “Hardware wallets without secure screens and any wallet that doesn’t support clear signing are at high risk, as it is impossible to accurately verify the transaction details are correct.”
Finally, he issued a broad reminder: “It’s an opportunity to remind everyone: always verify your transactions, never blind sign, use a hardware wallet with a secure screen, and Clear Sign everything.”
Response from Developers and Wider Implications
In the wake of the disclosure, developers have been urged to pin safe versions of dependencies, secure lockfiles, and halt auto-updating packages until further notice. These precautions are intended to contain the damage while audits and clean-ups proceed across the ecosystem. Prominent figures within the crypto developer community also advised users to avoid interacting with crypto websites until vulnerabilities are resolved.
Related: Ripple Developers Defend XRP Ledger Amid Kaiko Assessment
This event put forward that even critical wallet providers such as Ledger depend on software layers outside their immediate control. If such layers are compromised, then the resulting impact can be devastating. Users numbering in the millions and digital values amounting to billions may be at risk within hours.
Update on the NPM Attack
According to the latest update from Guillemet, the attack has failed and had almost no victims. It began with a phishing email from a fake npm support domain that stole credentials, giving attackers access to publish malicious package updates. The injected code targeted web crypto activity, hooking into Ethereum, Solana, and other chains to hijack transactions by replacing wallet addresses directly in network responses. However, the attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited the impact.
Guillemet emphasized that if your funds are in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply chain compromises remain a powerful malware delivery vector, and targeted attacks are on the rise. He also highlighted that hardware wallets are built to withstand these threats. Features like Clear Signing let you confirm exactly what’s happening, and Transaction Checks flag suspicious activity before it’s too late.
