Charles Guillemet, Chief Technology Officer at Hardware Wallet Maker Ledger, warned on X on Monday that a large -scale supply chain attack is underway after the compromise of a reputable developer knot -knocking package manager (NPM) account.
According to the Guillemet, the malicious code – already pushed into packages of over 1 billion downloads – is designed to silently exchange crypto -teje book addresses in transactions. This means that unsuspecting users could send money directly to the striker without realizing it.
The Guillemet did not name the developer whose account he said was compromised.
The incident emphasizes how deeply interconnected open source software is and why security lapses in developer tools can clap into the crypto economy almost immediately.
🚨 There is a large-scale supply chain attack in progress: The NPM story about a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, which means the whole JavaScript ecosystem may be in danger.
The malicious payload works …
– Charles Guillemet (@P3B7_) September 8, 2025
“NPM is a tool that is often used in software development using JavaScript, making the integration of packages easy for developers,” Guillemet said in a message to Coindesk. When an attacker compromises a developer’s account, they can slip malicious code in widely used packages.
“The malicious code tries to drain users by swapping addresses used in transaction or general activity on the chain and replacing them with the hacker’s address,” added the Guillem.
The Guillemet emphasized that if a decentralized application or software wallet across any blockchain includes these JavaScript packages, they could be compromised and crypto trans could therefore lose their funds.
“The only sure way to fight this is to use a hardware design book with a secure screen that supports clear signature,” Guillemet told Coindesk. “This allows the user to see exactly which addresses are sent to funds that are sent to and ensure that they match the intended addresses.”
“Hardware -drawing books without secure screens and any wallet that does not support clear signature is at high risk as it is impossible to accurately verify that the transaction details are correct,” he added.
“It’s an opportunity to remind everyone: Always check your transactions, never blindly sign, use a hardware design book with a secure screen and clearly sign everything,” the Guillema said.
Read more: Ledger CTO addresses criticism of New Wallet Recovery Service
