Malefactors breached a popular developer on the NPM platform, embedding malicious code into JavaScript packages to drain cryptocurrency wallets. This was reported by Ledger’s CTO, Charles Guillemet.
🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
“A large-scale supply chain attack has occurred: the account of a reputable developer on NPM has been compromised. The affected packages have already been downloaded over a billion times, posing a threat to the entire JavaScript ecosystem,” he wrote.
The compromised developer was identified as Josh Junon. He noted that he fell victim to a phishing attack. An email, purportedly from NPM support, demanded he update his 2FA under threat of account suspension. He clicked the link, allowing hackers direct access to popular packages like Chalk.
A user known as JD emphasized that the attack began with an unusual failure in the build system (CI/CD). Subsequently, he and a colleague discovered “deliberately obfuscated code,” difficult to comprehend.
“The attacker embedded malware in the code that seeks and steals cryptocurrency. The fetch function call, which broke our build, was an attempt by this program to send stolen data. The build failed only because the Node.js version was outdated and did not support the fetch function. In a more modern environment, the attack might have gone unnoticed,” he added.
How the Malware Operates and Protective Measures
Guillemet noted that users of software wallets are at risk. Those who confirm each transaction on a hardware device are better protected.
According to DeFi Llama’s founder, pseudonymously known as 0xngmi, the malicious code does not automatically empty wallets—users still need to confirm the transaction.
Explanation of the current npm hack
In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to…
— 0xngmi (@0xngmi) September 8, 2025
“A hacker can inject infected code into any site using the compromised npm dependency. For instance, when you click a ‘swap’ button, the malware might replace the transaction and send money to the hacker. However, you will still see this suspicious operation in your wallet and must approve it—your funds are not taken instantly,” he stated.
JD explained that the malware automatically replaces cryptocurrency addresses during transactions in two ways:
- Passive: If no wallet is detected on the site, the infected code altered basic browser functions. To make the substitution less noticeable, the Levenshtein algorithm was used to find the closest matching address from the attackers’ list.
- Active: The malware interfered with the transaction signing process, replacing the recipient’s address at the last moment. If the user did not manually verify the data, the funds went to the hackers.
“The attack targets BTC, ETH, SOL, TRX, LTC, and BCH. The final confirmation screen is your last line of defense. Carefully check each character of the recipient’s address in the application or on the hardware wallet screen before confirming any transaction,” noted Minal Thukral, Head of Ecosystem Development at Okto.
A developer known as ultra stated that the packages were fixed on September 8 at 15:15 UTC.
ok so just to clarify, the update to these packages started today around 13:16 UTC and was patched around 15:15 UTC (i was coding around this time)
it seems to mostly be a browser interceptor basically overriding transactions on frontends with this dependency however we don’t…
— ultra (@0x_ultra) September 8, 2025
A software engineer known as cygaar confirmed that the NPM team disabled the compromised package versions.
According to Security Alliance, the damage from the attack has so far been limited to $50.
Earlier, researchers at ReversingLabs discovered malware in the NPM repository that used Ethereum smart contracts to conceal commands and download a virus.