Ledger CTO Warns of Massive NPM Supply Chain Attack Targeting Crypto Wallets

Ledger’s chief technology officer, Charles Guillemet, has raised alarms over a large-scale supply chain attack involving Node Package Manager (NPM). According to Guillemet, a reputable developer’s NPM account was compromised, allowing malicious code to be injected into packages with over 1 billion downloads. The code is designed to stealthily replace crypto wallet addresses during transactions, redirecting funds to attackers.

NPM, widely used in JavaScript development, enables easy integration of open-source packages. However, this interconnected ecosystem also makes it vulnerable. Once a trusted account is hacked, malicious updates can spread instantly, threatening decentralized applications, wallets, and blockchain users worldwide.

The injected malware swaps transaction addresses on-chain, leaving users unaware that funds are being diverted. This puts countless wallets and decentralized applications at risk, especially those without enhanced security measures.

Guillemet emphasized that the most reliable safeguard is using a hardware wallet with a secure screen and Clear Signing. This technology allows users to confirm the exact wallet address before approving transactions, reducing the risk of blind signing. In contrast, wallets without secure screens or Clear Signing leave users exposed, as transaction details cannot be properly verified.

He urged the crypto community to remain vigilant: always verify transaction details, avoid blind signing, and rely on hardware wallets equipped with advanced security features. With billions of downloads affected, this incident highlights the urgent need for stronger supply chain security in the open-source ecosystem and serves as a reminder that protecting digital assets begins with user caution and trusted hardware.