Ledger CTO Charles Guillemet has issued a critical warning about a massive supply chain attack impacting the NPM (Node Package Manager) ecosystem, which serves as the primary package manager for JavaScript and TypeScript developers worldwide. The attack, described as one of the largest in history, involves malicious code inserted into widely used libraries like chalk, strip-ansi, and color-convert.
The compromised packages have been downloaded over a billion times, with the malicious code specifically designed to stealthily swap cryptocurrency addresses in real-time. This means victims could inadvertently send funds to attacker-controlled addresses instead of the intended recipients. The attack affects multiple blockchains, including Ethereum and Solana.
Security researchers note that the malware functions as a crypto-clipper, targeting transactions by hijacking wallet addresses. While hardware wallet users confirming transactions on-device remain protected, software wallet users are particularly vulnerable. It remains unclear whether the malware can also extract recovery seeds from compromised wallets.
The scale is unprecedented—these libraries are embedded in dependency trees of countless projects, meaning even developers who never installed them directly could be exposed. The attack highlights critical vulnerabilities in the software supply chain that underpin much of web development and crypto infrastructure.