Large-scale supply chain attack threatens all blockchain transactions

Large-scale supply chain attack threatens all blockchain transactions

 

Ledger’s CTO Charles Guillemet sounded the alarm on September 8, 2025, confirming a large-scale supply chain attack via NPM (Node Package Manager). A reputable open-source developer’s account—known as “qix” (real name Josh Goldberg)—was compromised, allowing attackers to slip malicious “crypto-clipper” malware into widely used JavaScript packages like chalk, debug, strip-ansi, color-convert, and others. These are foundational tools embedded across countless applications and dApps.

 

What’s actually happening?

  • The malicious code intercepts crypto transactions—on every supported chain—and silently replaces the intended recipient address with one controlled by attackers. Users might complete transactions thinking they’re going to the correct wallet when, in fact, funds are being redirected.

 

Who’s vulnerable and what did Guillemet say?

  • Software wallets—especially browser-based ones like MetaMask—are highly vulnerable. The attack targets those that cannot independently verify the transaction details.
  • Hardware wallets with secure screens and Clear Signing offer real protection. Guillemet stressed that users should always confirm transaction details on-device.
  • For anyone not using a secure hardware wallet, he advised to cease all on-chain activity immediately until the situation is resolved.(DailyCoin, )

 

Scope of the attack

  • The compromised packages have been downloaded over one billion times, making this possibly the largest JavaScript supply chain attack ever.(CoinDesk)
  • Some estimates put weekly download volumes for impacted libraries at 2–2.6 billion, affecting ecosystems beyond crypto, including dApp frameworks and developer tooling like Babel and ESLint.

What to do now

  1. If you use a secure hardware wallet: Always verify the recipient address on the device. Never blind-sign.
  2. If you’re using a software wallet: Stop all on-chain activity until further notice. The risk is too high.
  3. Developers: Audit dependencies, pin to known safe versions, update lockfiles, and review your supply chain security.
  4. Crypto platforms (e.g., MetaMask, Uniswap, Aave, Jupiter): Reportedly unaffected—but diligence is still warranted.

TL;DR

  • Ledger CTO confirmed a major supply chain hack via NPM, targeting JavaScript packages used widely across the ecosystem.
  • Malware swaps crypto transaction addresses on the fly, stealing funds.
  • Hardware wallets with Clear Signing are your best defense. If you’re using a software wallet, halt on-chain transactions immediately.
  • The attack may be the largest in JS open-source history, with repercussions across multiple chains and applications.

Tell me what environment you’re dealing with—developer, user, institution—and I’ll tailor the next steps accordingly.