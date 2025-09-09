A massive supply chain attack has compromised a developer’s NPM account.

The affected packages, with over 1B downloads, have put the JavaScript ecosystem at risk.

A major supply chain attack has thrown the JavaScript ecosystem into chaos, putting developers and crypto users on high alert. In response, Ledger’s CTO, Charles Guillemet, is urging hardware wallet owners to be extra vigilant and manually review every single transaction before approving it.

The breach started after the account of a well-known NPM developer was taken over, allowing attackers to publish malicious updates to widely used JavaScript packages. Together, these compromised packages have been downloaded more than a billion times. It makes the incident one of the most serious to date.

An attacker recently gained access to the qix NPM account, which is connected to some of the most fundamental libraries in the JavaScript ecosystem. This compromise affected several key packages, including chalk, strip-ansi, color-convert, color-name, and is-core-module.

Crypto-Clipping: A New Malicious Threat

The injected malware was designed to function as a crypto-clipper. The method of attack is both silent and dangerous; it swaps wallet addresses within network requests, hijacking cryptocurrency transactions in real time.

This points out that the users attempting to send funds could unknowingly have their destination wallet addresses replaced with those controlled by the attacker. In addition, researchers are investigating whether the payload attempts to steal seed phrases from software wallets, though this has not yet been confirmed.

Impact on Developers and Crypto Users

The compromised developer packages could still introduce malicious code into projects. While the affected packages have since been patched or taken down. Also, the outdated versions may remain hidden in dependencies or lockfiles. This may imply that the systems are still exposed unless you do a thorough audit to find and remove them. Moreover, for the crypto users, the consequences are more direct. Transactions could be silently altered, draining funds without immediate detection.

Significantly, Ledger’s CTO has outlined steps to minimize the risks with audit dependencies immediately. Also, the developers should inspect their projects and lockfiles to ensure no compromised versions remain. Pin all dependencies to the last known-safe versions.

Also, by using the hardware wallets with clear signing. With this, the users are protected as long as they carefully review and confirm every transaction before signing. Followed by refraining from on-chain transactions without hardware wallets, where users rely solely on software wallets are strongly advised to avoid conducting transactions.

