Ledger’s Chief Technology Officer, Charles Guillemet, has raised the alarm over a major supply chain attack targeting the JavaScript ecosystem. On or around September 8, 2025, hackers compromised the npm account of a well-known developer, believed to be Josh Goldberg (alias “Qix”). They injected malicious code into 18 popular JavaScript packages, including chalk, debug, strip-ansi, and color-convert.
These libraries are among the most widely used in web development, collectively seeing over 2.6 billion downloads every week. Early data indicates that infected versions alone may have already been downloaded more than 1 billion times.
How the malware works
The tampered packages function as crypto-clipper malware. They intercept browser processes and API calls, enabling attackers to secretly replace a wallet address during a crypto transaction.
For example, when a user sends funds through a browser-based wallet like MetaMask, the malware swaps the intended recipient address with one controlled by the hacker. The user continues to see their original address on-screen, while funds are silently redirected elsewhere.
This attack may be the largest open-source supply chain compromise in history. Its impact extends far beyond crypto, as it undermines trust in widely adopted JavaScript packages that countless apps and services depend on. It also exposes the fragility of open-source dependencies, where a single compromised account can cascade into massive systemic risk.
How to stay safe
Ledger has shared key guidance for users:
- Hardware wallet users remain largely safe, as long as they carefully verify transaction details on the device screen before signing.
- Browser-based wallet users face a much greater risk and should avoid sending on-chain transactions until the situation is resolved.
Guillemet emphasized that hardware wallet users practicing “clear signing” can avoid falling victim. In contrast, software wallets leave users vulnerable to invisible redirections.
NPM has begun removing the compromised versions. Developers are strongly advised to:
- Pin dependencies to verified safe versions,
- Rebuild lockfiles,
- Audit their full dependency chains to ensure no malicious code remains.
This cleanup will likely take time, given how deeply integrated these packages are across the ecosystem.
