On September 8, Charles Guillemet, Chief Technology Officer at Ledger, warned of an active supply chain attack that could potentially affect the entire JavaScript ecosystem. In a post on X, he revealed that the Node Package Manager (NPM) account of a reputable developer had been compromised. The attacker pushed malicious code into packages with over one billion downloads, raising alarm across the crypto community.
The injected code was designed to silently swap crypto wallet addresses during transactions. In practice, this meant that unsuspecting users could send funds directly to an attacker’s address without being aware of it.
Guillemet emphasized that hardware wallets remained secure, provided users verified every transaction before signing. He advised all other users to pause onchain activity until the situation became clearer.
Early Concerns Across the Ecosystem
The news caused immediate concern within the crypto sector, where many decentralized applications rely on open-source JavaScript packages. A compromised dependency could expose users on Ethereum, Solana, and other chains.
Several projects, including Marinade, Solflare, Step Finance, Jupiter, Drift, and Phantom, quickly issued statements confirming that their systems had not been affected.
Despite these reassurances, the scale of potential exposure was significant. NPM packages underpin many widely used applications, and a breach of this nature highlighted the fragility of supply chain security in software development.
Attack Mechanics and Intent
In a follow-up post on September 9, Guillemet provided more details. The attackers had gained access through a phishing email campaign impersonating NPM support. Using a fake domain, they stole developer credentials and published malicious updates to widely used packages. The injected code attempted to intercept web-based crypto activity, hooking into network responses and replacing wallet addresses.
However, implementation errors undermined the effectiveness of the attack. The malicious code caused continuous integration and deployment pipelines to crash, alerting developers and security teams earlier than the attackers likely intended. This disruption limited the scope of the attack and reduced the number of successful thefts.
Minimal Financial Damage
Blockchain analysis suggests that the attackers stole a minimal amount. Researcher @4484, who grouped the wallets linked to the incident on Arkham under the label “NPM attack,” found only $503.59 in stolen funds. A few hours earlier, the figure stood at $66, showing that the total may have grown incrementally but remained negligible compared to the potential scale of the compromise.
The pseudonymous founder of DefiLlama, 0xngmi, explained why the impact was limited. The malicious code could modify transactions on websites using compromised dependencies, such as replacing destination addresses. However, users still had to manually approve these altered transactions in their wallets, which prevented automatic fund drainage.
Security Alliance, a security collective, described the outcome as “lucky,” noting that if the attackers had executed the payload more effectively, the potential damage could have been immense.
A Narrow Escape
The September NPM supply chain attack serves as both a warning and a reminder. The actual losses were small, but the scale of potential exposure was vast. With over one billion downloads of the affected packages, the incident demonstrated how a compromised account can have a ripple effect across the entire ecosystem.
Crypto users and developers face a constantly evolving threat landscape. While hardware wallets and transaction verification remain reliable defenses, attackers will continue to probe weaknesses in software supply chains. The latest episode may have ended with almost “no victims,” but the next one could be far more damaging.
Read More on SolanaFloor
Do You Think Solana Has a Perception Problem?
