A large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further notice.
On September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and color-convert.
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm statistics.
Researchers Uncover Crypto-Clipper Malware Hidden in Popular npm Libraries
Security researchers quickly found that the new versions contained a “crypto-clipper” malware.
The payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ones.
In some cases, the malware actively hijacks wallet communications, modifying transactions before they are signed.
The attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated packages.
Analysis showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect funds.
The scale of the attack is unprecedented. Packages such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.
Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users worldwide.
In a post on X, Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed phrases.
The attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support team.
The fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September 10. Clicking the link redirected victims to a fake login page designed to steal credentials.
Once in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of applications.
Aikido Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without alerting users.
npm has since removed many of the compromised versions, but security experts warn that transitive dependencies make it difficult to ensure complete protection.
Developers are being urged to immediately audit their projects, pin safe versions of dependencies, and rebuild lockfiles.
The attack shows the fragility of the open-source ecosystem, which relies heavily on trust between maintainers and developers.
With billions of downloads affected and active wallet addresses linked to stolen funds already surfacing on-chain, researchers are describing the incident as one of the most severe supply chain compromises in the JavaScript ecosystem’s history.
Crypto Hacks Surge Past $3B in 2025 as Phishing and Laundering Tactics Escalate
The crypto sector is facing its most severe security crisis yet, with hackers stealing over $3 billion across 119 incidents in the first half of 2025, according to new data from blockchain analytics firm Global Ledger.
The figure is one and a half times greater than total losses in 2024, placing the industry on track to break annual records.
The report shows the speed of these attacks as a new threat. In some cases, stolen funds were moved within four seconds of an exploit, far faster than most exchange alert systems.
Nearly 70% of hacks saw funds moved before the breach became public, while one in four had assets fully laundered before any statement or alert was issued.
On average, it takes 37 hours for an incident to be publicly reported, leaving investigators trailing attackers who often cash out within minutes. Only 4.2% of stolen assets, around $126 million, were recovered in the first six months of the year.
Recent incidents underline the scale of the problem. In July, hackers infiltrated Brazil’s national payment system through provider C&M Software, stealing about $180 million from reserve accounts and quickly routing funds through crypto exchanges.
In June, hardware wallet maker Trezor warned of a phishing exploit that abused its customer support system to send fake emails requesting wallet backups.
Around the same time, CoinMarketCap and Cointelegraph suffered front-end compromises that pushed phishing pop-ups and fake airdrop promotions to users.
Despite the surge in attacks, bug bounty programs continue to show promise. Platforms like Immunefi report more than $120 million in payouts to white-hat hackers, preventing an estimated $25 billion in potential losses.
But with laundering times now measured in seconds, analysts warn the industry’s defenses are struggling to keep pace.
The post “Avoid On-Chain Transactions”: Ledger CTO Issues Urgent Warning After JavaScript Attack appeared first on Cryptonews.
