Ledger CTO Charles Guillemet has sounded the alarm on a major supply chain attack targeting the JavaScript ecosystem.
The exploit comes after a reputable developer’s NPM account was compromised, pushing malicious code into widely used packages with over 1 billion downloads.
On X, Guillemet wrote:
Malicious Payload Swaps Crypto Addresses
The injected payload is designed to silently replace crypto addresses during transactions. If a user pastes or inputs a wallet address, the code swaps it with the attacker’s address—stealing funds without the victim realizing.
NPM has already disabled the compromised versions, but Guillemet cautions that risks may remain, especially on frontend applications still relying on cached or unpatched code.
He advised:
- Hardware wallet users should double-check every transaction before signing.
- Software wallet users should pause all on-chain activity until further clarity.
At this stage, it’s not clear if the attacker is also harvesting seed phrases from software wallets.
Solana Ecosystem Responds
The attack has triggered responses across the Solana ecosystem. Protocols and wallets quickly issued statements clarifying their exposure—or lack thereof.
Drift Protocol
Solana-based Drift Protocol
confirmed that both its SDK and UI remain unaffected. The team advised users to stay alert when signing any transactions until wallets fully confirm safety.
Solflare Wallet
Popular Solana wallet Solflare
said its users are not at risk. The team pointed to safeguards like version locking and thorough code reviews before merging updates. Minor version changes are never pushed without review.
Kamino Finance
Kamino Finance co-founder @y2kappa
responded, confirming Solana’s leading lending protocol is not exposed. The Kamino app has no dependency on the compromised NPM packages.
Marinade Finance
Staking giant Marinade Finance
said it is monitoring the situation closely. Initial checks show no impact, but the team urged users to remain vigilant as details unfold.
Jupiter Exchange
Solana’s top DEX aggregator Jupiter Exchange
confirmed it is safe. Neither the Jupiter web app nor Jup Mobile relies on the compromised versions.
Supply Chain Attacks: A Growing Risk
This incident highlights the fragility of open-source ecosystems. With NPM packages embedded across thousands of projects, a single compromised account can spread malicious code to millions of users overnight.
The risk is amplified in crypto, where address swaps can directly drain wallets. Unlike traditional hacks, supply chain attacks exploit trust in widely used libraries, slipping past most developers and security tools.
What Users Should Do
Guillemet’s advice is clear:
- Hardware wallets remain the safest option. Always verify the transaction address on the device before approving.
- Software wallet users should avoid sending transactions until updates confirm no deeper compromise.
- Developers should review package dependencies and ensure they are not pulling from compromised versions.
As of now, the attack appears contained, with NPM disabling malicious versions. But questions remain. Is the attacker only hijacking addresses—or also attempting to exfiltrate seeds from software wallets? The answer could determine whether this is an inconvenience for careless users or a catastrophic breach across the industry.
For now, caution is the rule. Guillemet’s warning underscores how even one compromised developer account can threaten an entire ecosystem. With over 1 billion downloads at risk, this NPM attack may go down as one of the most significant supply chain compromises in recent memory.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Source: https://nulltx.com/ledger-cto-warns-of-billion-download-npm-supply-chain-attack-all-solana-ecosystem-responds/
