A widespread cyberattack targeting the JavaScript ecosystem has prompted Ledger Chief Technology Officer Charles Guillemet to issue a public warning, advising some users to temporarily avoid on-chain transactions.
On Monday, Ledger Chief Technology Officer Charles Guillemet posted on X, stating, “There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised.” Guillemet noted that the affected software packages have been downloaded over a billion times, putting a significant portion of the JavaScript ecosystem at risk.
A supply chain attack involves a hacker infiltrating a trusted part of the software distribution process. In this case, the attack appears to have compromised a developer’s account on NPM, a popular platform for sharing JavaScript code. Malicious code was allegedly injected into widely used packages.
“The malicious payload works by silently swapping crypto addresses on the fly to steal funds,” Guillemet explained. This means the code is designed to trick users into sending their cryptocurrency to the attacker’s address instead of the intended recipient.
The scope of the attack has led some security experts to call it potentially “the largest supply chain attack ever.”
Guillemet offered specific advice for users:
- Users of hardware wallets like Ledger are advised to be cautious but are generally safe as long as they carefully verify transaction details before signing.
- Users who do not use a hardware wallet are urged to “refrain from making any on-chain transactions for now.”
