Charles Guillemet, Chief Technology Officer at Hardware Wallet Maker Ledger, warned to x On Monday that a large supply chain attack was conducted after the compromise of a reputable developer package manager (Npm) account
According to Guillemet, the malicious code – pushed into packages with more than 1 billion downloads – is designed to quietly change crypto wallet addresses in transactions. This means that undoubtedly users can send funds directly to the attack without realizing it.
Guillemet did not name the developer that the account he said was compromised.
The incident emphasizes how deeply relevant open-source software is and why security is lapses in developer tools can twist the crypto economy almost immediately.
🚨 There is a large-scale chain chain attack on development: The NPM’s account of a respectable developer is compromised. The affected packages have been downloaded more than 1 billion times, which means the entire JavaScript ecosystem may be at risk.
Working the Malm Payload works …
– Charles Guillemet (@P3B7_) September 8, 2025
“The NPM is a tool commonly used in software development using JavaScript, which makes it easy to integrate packages for developers,” Guillemet said in a message to CoinDesk. When an attack is compromised by a developer’s account, they can slip into malicious code in widely used packages.
“The malicious code attempts to remove users by changing the addresses used in the transaction or overall on-chain activity and replace them with the hacker address,” Guillemet added.
Guillemet emphasized that if any decentralized application or software wallet in any blockchain includes this javascript package, they can compromise, and crypto users can lose their funds.
“The only way to combat this is to use a hardware wallet with a safe screen that supports clear signing,” Guillemet told CoinDesk. “This will allow the user to see exactly which response funds are sent and ensure they match the intended addresses.”
“Hardware wallets without safe screens and any purse that do not support clear signing are at high risk as it is impossible to accurately prove the details of the transaction are correct,” he added.
“This is an opportunity to remind everyone: Always verify your transactions, not blind to sign, use a hardware wallet with a safe screen, and to -clear everything,” Guillemet said.
Read more: Ledger CTO addresses noting the new purse recovery service
