Ledger\u2019s Chief Technology Officer, Charles Guillemet, has raised the alarm over a major supply chain attack targeting the JavaScript ecosystem. On or around September 8, 2025, hackers compromised the npm account of a well-known developer, believed to be Josh Goldberg (alias \u201cQix\u201d). They injected malicious code into 18 popular JavaScript packages, including chalk, debug, strip-ansi, and color-convert.<\/p>\n\n\n\n
These libraries are among the most widely used in web development, collectively seeing over 2.6 billion downloads every week. Early data indicates that infected versions alone may have already been downloaded more than 1 billion times.<\/p>\n\n\n\n
The tampered packages function as crypto-clipper malware. They intercept browser processes and API calls, enabling attackers to secretly replace a wallet address during a crypto transaction.<\/p>\n\n\n\n
For example, when a user sends funds through a browser-based wallet like MetaMask, the malware swaps the intended recipient address with one controlled by the hacker. The user continues to see their original address on-screen, while funds are silently redirected elsewhere.<\/p>\n\n\n\n
This attack may be the largest open-source supply chain compromise in history. Its impact extends far beyond crypto, as it undermines trust in widely adopted JavaScript packages that countless apps and services depend on. It also exposes the fragility of open-source dependencies, where a single compromised account can cascade into massive systemic risk.<\/p>\n\n\n\n
Ledger has shared key guidance for users:<\/p>\n\n\n\n
Guillemet emphasized that hardware wallet users practicing \u201cclear signing\u201d can avoid falling victim. In contrast, software wallets leave users vulnerable to invisible redirections.<\/p>\n\n\n\n
NPM has begun removing the compromised versions. Developers are strongly advised to:<\/p>\n\n\n\n
This cleanup will likely take time, given how deeply integrated these packages are across the ecosystem.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ledger\u2019s Chief Technology Officer, Charles Guillemet, has raised the alarm over a major supply chain attack targeting the JavaScript ecosystem. On or around September 8, 2025, hackers compromised the npm account of a well-known developer, believed to be Josh Goldberg (alias \u201cQix\u201d). They injected malicious code into 18 popular JavaScript packages, including chalk, debug, strip-ansi, […]<\/p>\n","protected":false},"author":13,"featured_media":15438,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2,43],"tags":[],"class_list":{"0":"post-15436","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-featured","8":"category-general-news"},"acf":[],"yoast_head":"\n