Market News

Ledger CTO Warns Users Amid Massive NPM Supply Chain Attack

Hackers hit a trusted NPM account, adding malicious code to JavaScript packages downloaded over 1B times, risking crypto projects.

Written By Ronak Kumar Ronak Kumar
Fact Checked by Dhara Chavda Dhara Chavda
Make The Crypto Times preferred on Google
Ledger CTO Warns Users Amid Massive NPM Supply Chain Attack

Ledger’s Chief Technology Officer, Charles Guillemet, issued a strong warning on Monday, urging some users to temporarily stop on-chain transactions. The alert comes after a massive supply chain attack compromised a trusted developer’s NPM account, affecting packages that have been downloaded over 1 billion times.

“There’s a large-scale supply chain attack in progress,” Guillemet said in a post on X. “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t, refrain from making any on-chain transactions for now.”

How the Attack Works

Supply chain attacks target the software distribution process, not individual users. Here, hackers acquired the NPM account of a developer ‘qix’.

They allegedly inserted malicious code, which replaces cryptocurrency addresses automatically, deceiving users to send money to the attacker, rather than the receiver. This method is similar to tactics used by North Korean hackers to steal $1.5 billion from the crypto exchange Bybit earlier this year.

Crypto developers quickly noticed the attack. @0x_ultra shared that packages like Chalk, with over 2 billion weekly downloads, were compromised and could steal private keys.

The impacted developer verified the attack, saying that phishing emails that pretended to be NPM threatened to lock accounts of maintainers to tempt them to visit rogue websites. However, at the time of reporting, the attacker only managed to steal $498.

What Users Should Do

The compromised packages were reportedly patched around 15:15 UTC. However, websites and apps that updated dependencies recently might still be at risk. 

Further, Uniswap, Metamask, Ledger, OKX Wallet, Sui, Aave and Morpho have stated that they were “not affected” by the NPM supply chain attack.

Guillemet also reassured users that those using hardware wallets with clear signing are safe. Developers are encouraged to verify all the dependencies and make sure that they are not using the compromised versions.

This attack is being described as possibly the biggest supply chain attack in history, and it is a reminder of the increasing risks in the software ecosystem and the role of security in crypto transactions.

Also Read: SwissBorg Crypto Platform Loses $41M Solana in Major Security Breach

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.
Google News Banner
TAGGED:
Share This Article

Latest News

Demo Live
Prediction Market Fight May Reach Supreme Court CFTC Chair Selig
Prediction Market Fight May Reach Supreme Court: CFTC Chair Selig
Anchorage Bets Big on AI Economy With New Banking Model
Anchorage Bets Big on AI Economy With New Banking Model
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Tapnob Rolls Out Crypto-to-Naira Payment Platform in Nigeria
Clarity Act on Fast Track Senator Moreno Sets July 4 Deadline
Clarity Act on Fast Track? Senator Moreno Sets July 4 Deadline

Find Us on Socials

You may also like