A failed attack on popular Node Package Manager (NPM)
libraries sent shockwaves through the crypto world on Monday.
Hackers targeted major packages to hijack
cryptocurrency transactions across multiple blockchains, but due to coding
errors, the breach caused minimal loss.
Still, experts warn that the incident highlights ongoing
risks for software wallets, exchanges, and any platform that automatically
updates code libraries.
NPM Attack Hits Popular Libraries
The attack reportedly started with a phishing email
sent from a fake NPM support domain, which allowed hackers to access developer accounts. Malicious updates were then pushed to libraries, including chalk, debug, and strip-ansi.
The injected code attempted to intercept wallet
addresses on chains like Bitcoin, Ethereum , Solana, Tron, and Litecoin.
Charles Guillemet, Ledger’s CTO, commented on X: “The
attack fortunately failed, with almost no victims. It began with a phishing
email from a fake npm support domain that stole credentials and gave attackers
access to publish malicious package updates.”
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
— Charles Guillemet (@P3b7_) September 9, 2025
According to Guillemet, the injected code targeted web
crypto activity, affecting Ethereum, Solana, and other blockchains, hijacking
transactions and replacing wallet addresses directly in network responses.
Read more: Hackers Exploit JavaScript Accounts in Massive Crypto Attack Reportedly Affecting 1B+ Downloads
“If your funds sit in a software wallet or on an
exchange, you’re one code execution away from losing everything. Supply-chain
compromises remain a powerful malware delivery vector, and we’re also seeing
more targeted attacks emerge,” he said.
Understanding the Threat
Anatoly Makosov, CTO of The Open Network (TON), also addressed the matter by explaining the mechanics of the attack on X and that only 18 specific package versions were compromised.
Makosov said developers who deployed builds shortly
after the malicious updates, or who rely on auto-updating libraries, were most
exposed. “Developers of multi-chain products should check their code,
especially if they have released something today,” he warned.
⚠️ Attack on popular NPM packages — technical details
A few hours ago, hackers gained access to some NPM accounts and published infected versions of popular libraries.
Many web products use these packages.
Although TON products do not appear to be at risk, developers of…
— Anatoly Makosov (@anatoly_makosov) September 8, 2025
Makosov emphasized that all earlier and newer versions
of the allegedly attacked packages are considered safe. Fixes have been
published, and developers are urged to reinstall clean code and rebuild their
applications.
Minimal Impact, Major Lesson
Despite the sophisticated attempt, the financial
impact was limited. Guillemet credited early detection to errors in the
attackers’ code that caused CI/CD pipeline crashes.
“Hardware wallets are built to withstand these
threats,” Guillemet said. Ledger devices include Clear Signing, letting users
verify transactions on a secure screen, and Transaction Check, which warns of
suspicious activity. “Your private keys and recovery phrase remain safe.
The immediate danger may have passed, but the threat hasn’t. Stay safe,” he
added.
Makosov and Guillemet both emphasized that vigilance
is crucial. Developers should lock dependencies to safe versions and avoid
dynamic updates, while users should avoid blind signing and always verify
wallet addresses.
Meanwhile, crypto wallet provider Ledger has assured
its users that its systems remain safe.
Ledger devices are not and have not been at risk during an ecosystem-wide software supply chain attack that was discovered.
Ledger devices are built specifically to protect users against attacks like these.
Only Ledger devices have secure screens, powered by the Secure Element… https://t.co/cJO2w0dpmU
— Ledger (@Ledger) September 8, 2025
“Ledger devices are not and have not been at risk
during an ecosystem-wide software supply chain attack that was discovered.
Ledger devices are built specifically to protect users against attacks like
these,” the company explained.
Developers have now been urged to examine their
projects’ package files for affected versions and update or rebuild with secure
releases. Users, meanwhile, should avoid blind signing and always verify wallet
addresses before confirming transactions.
A failed attack on popular Node Package Manager (NPM)
libraries sent shockwaves through the crypto world on Monday.
Hackers targeted major packages to hijack
cryptocurrency transactions across multiple blockchains, but due to coding
errors, the breach caused minimal loss.
Still, experts warn that the incident highlights ongoing
risks for software wallets, exchanges, and any platform that automatically
updates code libraries.
NPM Attack Hits Popular Libraries
The attack reportedly started with a phishing email
sent from a fake NPM support domain, which allowed hackers to access developer accounts. Malicious updates were then pushed to libraries, including chalk, debug, and strip-ansi.
The injected code attempted to intercept wallet
addresses on chains like Bitcoin, Ethereum , Solana, Tron, and Litecoin.
Charles Guillemet, Ledger’s CTO, commented on X: “The
attack fortunately failed, with almost no victims. It began with a phishing
email from a fake npm support domain that stole credentials and gave attackers
access to publish malicious package updates.”
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
— Charles Guillemet (@P3b7_) September 9, 2025
According to Guillemet, the injected code targeted web
crypto activity, affecting Ethereum, Solana, and other blockchains, hijacking
transactions and replacing wallet addresses directly in network responses.
Read more: Hackers Exploit JavaScript Accounts in Massive Crypto Attack Reportedly Affecting 1B+ Downloads
“If your funds sit in a software wallet or on an
exchange, you’re one code execution away from losing everything. Supply-chain
compromises remain a powerful malware delivery vector, and we’re also seeing
more targeted attacks emerge,” he said.
Understanding the Threat
Anatoly Makosov, CTO of The Open Network (TON), also addressed the matter by explaining the mechanics of the attack on X and that only 18 specific package versions were compromised.
Makosov said developers who deployed builds shortly
after the malicious updates, or who rely on auto-updating libraries, were most
exposed. “Developers of multi-chain products should check their code,
especially if they have released something today,” he warned.
⚠️ Attack on popular NPM packages — technical details
A few hours ago, hackers gained access to some NPM accounts and published infected versions of popular libraries.
Many web products use these packages.
Although TON products do not appear to be at risk, developers of…
— Anatoly Makosov (@anatoly_makosov) September 8, 2025
Makosov emphasized that all earlier and newer versions
of the allegedly attacked packages are considered safe. Fixes have been
published, and developers are urged to reinstall clean code and rebuild their
applications.
Minimal Impact, Major Lesson
Despite the sophisticated attempt, the financial
impact was limited. Guillemet credited early detection to errors in the
attackers’ code that caused CI/CD pipeline crashes.
“Hardware wallets are built to withstand these
threats,” Guillemet said. Ledger devices include Clear Signing, letting users
verify transactions on a secure screen, and Transaction Check, which warns of
suspicious activity. “Your private keys and recovery phrase remain safe.
The immediate danger may have passed, but the threat hasn’t. Stay safe,” he
added.
Makosov and Guillemet both emphasized that vigilance
is crucial. Developers should lock dependencies to safe versions and avoid
dynamic updates, while users should avoid blind signing and always verify
wallet addresses.
Meanwhile, crypto wallet provider Ledger has assured
its users that its systems remain safe.
Ledger devices are not and have not been at risk during an ecosystem-wide software supply chain attack that was discovered.
Ledger devices are built specifically to protect users against attacks like these.
Only Ledger devices have secure screens, powered by the Secure Element… https://t.co/cJO2w0dpmU
— Ledger (@Ledger) September 8, 2025
“Ledger devices are not and have not been at risk
during an ecosystem-wide software supply chain attack that was discovered.
Ledger devices are built specifically to protect users against attacks like
these,” the company explained.
Developers have now been urged to examine their
projects’ package files for affected versions and update or rebuild with secure
releases. Users, meanwhile, should avoid blind signing and always verify wallet
addresses before confirming transactions.