NPM supply chain attack on crypto contained with ‘almost no victims,’ Ledger CTO says
Ledger’s chief technology officer said Tuesday that a widely watched supply-chain attack on the Node Package Manager ecosystem “fortunately failed,” with “almost no victims,” after a phishing campaign let attackers publish malicious updates to popular JavaScript packages before the compromise was detected and shut down.Charles Guillemet, Ledger’s CTO, stated the incident began with emails from a spoofed NPM support domain that harvested developer credentials. This allowed hackers to push tainted package versions that hook web-crypto activity across Ethereum, Solana, and other chains by swapping destination addresses inside network responses.He added that implementation mistakes caused CI/CD pipelines to crash, triggering rapid discovery and limiting the impact size. “The immediate danger may have passed, but the threat hasn’t,” Ledger's CTO wrote on X, urging users to favor hardware wallets and clear signing protections. The attackers only netted about $503 in crypto, according to onchain analytics firm Arkham, which said the funds went to addresses cited by Guillemet in his initial alert.The update follows Monday’s industry-wide, as reported by The Block. Security experts urged developers and users to pause onchain activity amid a massive NPM supply-chain event targeting web3 projects. By early Tuesday, multiple crypto teams, including Uniswap, Morpho, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido, reported they were not affected.Security collective SEAL Org called the outcome “lucky,” noting a compromised account with packages downloaded “billions” of times weekly could have yielded “untold riches” had the payload been stealthier.While the take was minimal this time, industry veterans like Guillemet warned that software supply chain compromises remain a powerful malware vector and are becoming increasingly targeted. The Block recently covered investigative work showing attackers embedding command-and-control instructions behind Ethereum smart contracts to steer NPM-distributed malware, a sign that adversaries are blending onchain and open-source tactics to dodge detection.Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.