Charles Guillemet, chief technology officer at hardware wallet provider Ledger, issued a public warning about an unfolding supply-chain attack affecting the Node.js ecosystem. According to Guillemet’s post on the social media platform X, attackers gained access to a reputable developer’s NPM (Node Package Manager) account and injected malicious code into widely used JavaScript packages. The compromised packages have collectively accumulated over 1 billion downloads, indicating a potentially severe threat to developers and end users in the cryptocurrency sector.
The malicious payload is designed to intercept and alter transaction data within affected libraries, silently replacing the intended wallet address with the attacker’s address. Such modifications remain invisible to applications that do not implement strict on-chain address verification. As a result, funds sent via decentralized applications or smart contracts that depend on the compromised packages could be redirected to unauthorized accounts, leading to significant financial losses for users.
Guillemet emphasized that the only reliable defense against this type of attack is the use of hardware wallets equipped with secure displays and support for Clear Signing. Secure displays allow users to verify the exact recipient address and transaction amount before finalizing a transfer. Without this level of validation, downstream wallet software or decentralized applications remain vulnerable to address-swap attacks.
Open-source software supply chains have long been recognized as potential points of compromise, particularly in critical infrastructure and financial applications. The attack on NPM underscores the interconnected nature of modern development workflows, where a breach at a single account can cascade into widespread code contamination. Security experts are urging maintainers of high-risk packages to implement multi-factor authentication, regular security reviews and automated integrity checks as part of a comprehensive hardening strategy.
Ledger has not yet identified the specific packages or the developers involved to avoid accelerating the spread of the malicious code. Guillemet advised developers to audit their dependencies, monitor network requests for anomalous address-swap activity and use cryptographic tools to verify package integrity. He also called on the broader open-source community and enterprise users to collaborate in tracing and remediating the compromised modules.
This incident follows a series of high-profile supply-chain attacks in software development, including trojanized dependencies in popular ecosystems. The attack serves as a reminder that security measures must extend beyond direct attacks on applications to include the entire development pipeline. Organizations are encouraged to employ rigorous security controls, including dependency whitelisting, continuous monitoring and incident-response planning to mitigate future risks.
Reporting by Margaux Nijkerk; Edited by Nikhilesh De.
Comments (0)