Charles Guillemet, the Chief Technology Officer at Ledger, has issued a critical alert about a sweeping supply-chain attack targeting JavaScript package infrastructure commonly used in crypto applications.
According to Guillemet, a popular package from Node Package Manager (NPM) was compromised, allowing attackers to inject malicious code that stealthily replaces wallet addresses during transactions. This eerily manipulates recipients’ addresses in real time, potentially redirecting funds to the attackers without user awareness.
Given how deeply JavaScript libraries are embedded across crypto wallets and applications, millions of on-chain transactions may be exposed. The scale of the incident is unprecedented, impacting a vast swath of the ecosystem.
Ledger’s Safety Recommendations:
- Pause On-Chain Transactions: Users should immediately halt all on-chain activity until the threat is fully contained.
- Use Secure Hardware Wallets: Only conduct transactions through devices that support “clear signing” — enabling you to verify each detail, including the recipient address, on a secure display.
This warning highlights a significant risk in open-source dependencies and stresses the importance of verifiable transaction tools to safeguard against invisible malware.
