“Avoid On-Chain Transactions”: Ledger CTO Issues Urgent Warning
0Defi Hack
JavaScript Attack
Ledger
Journalist
Hassan Shittu
Journalist
Hassan Shittu
About Author
Hassan, a Cryptonews.com journalist with 6+ years of experience in Web3 journalism, brings deep knowledge across Crypto, Web3 Gaming, NFTs, and Play-to-Earn sectors. His work has appeared in...
Author Profile
Share
Copied
Last updated:
September 8, 2025
A large-scale supply chain attack on the JavaScript ecosystem has prompted an urgent warning from Ledger’s chief technology officer, Charles Guillemet, who advised users without hardware wallets to avoid on-chain transactions until further notice.
On September 8, hackers compromised the npm account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” publishing malicious updates to 18 widely used packages, including chalk, debug, strip-ansi, and color-convert.
These utilities underpin much of the modern web and collectively account for more than 2.6 billion weekly downloads, according to npm statistics.
Researchers Uncover Crypto-Clipper Malware Hidden in Popular npm Libraries.
Security researchers quickly found that the new versions contained a “crypto-clipper” malware.
The payload works by intercepting browser functions and swapping out legitimate cryptocurrency wallet addresses with attacker-controlled ones.
In some cases, the malware actively hijacks wallet communications, modifying transactions before they are signed.
The attack was first uncovered after a build error exposed obfuscated code hidden in one of the updated packages.
Analysis showed that the malware employed a two-pronged strategy: passively replacing wallet addresses using sophisticated algorithms to mimic the look of real ones and actively intercepting transactions from browser-based wallets like MetaMask to redirect funds.
The scale of the attack is unprecedented. Packages such as chalk are downloaded nearly 300 million times a week, while debug sees around 358 million weekly downloads.
Collectively, the targeted libraries are embedded deep within the dependency trees of tools like Babel, ESLint, and countless other projects, raising concerns that the fallout could affect developers and users worldwide.
In a post on X, Ledger CTO Charles Guillemet described the incident as a “large-scale supply chain attack” and warned that the malicious payload had already reached billions of downloads.
“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” he wrote.
“If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” Guillemet added that it was still unclear whether the attackers were also attempting to steal wallet seed phrases.
The attackers reportedly gained access through a phishing campaign that targeted npm maintainers with emails impersonating the platform’s support team.
The fraudulent messages claimed that accounts would be locked unless two-factor authentication credentials were updated by September 10. Clicking the link redirected victims to a fake login page designed to steal credentials.
Once in control of Goldberg’s account, the attackers pushed malicious versions of core packages used across millions of applications.
Aikido Security, which analyzed the attack, said the injected code functioned as a browser-based interceptor capable of altering website content, tampering with API calls, and rewriting payment destinations without...
https://cryptonews.com/news/avoid-on-chain-transactions-ledger-cto-issues-urgent-warning-after-javascript-attack/
#crypto #bitcoin #ethereum #cryptocurrency #news #blockchain #litecoin #cryptonews #cryptonewstoday #cryptoworld #cryptonewstoday
***NOT FINANCIAL, LEGAL, OR TAX ADVICE! JUST OPINION! I AM NOT AN EXPERT! I DO NOT GUARANTEE A PARTICULAR OUTCOME I HAVE NO INSIDE KNOWLEDGE! YOU NEED TO DO YOUR OWN RESEARCH AND MAKE YOUR OWN DECISIONS! THIS IS JUST ENTERTAINMENT!
This information is what was found publicly on the internet. This information could’ve been doctored or misrepresented by the internet. All information is meant for public awareness and is public domain. This information is not intended to slander harm or defame any of the actors involved but to show what was said through their social media accounts. Please take this information and do your own research.
bitcoin, blockchain, crypto, cryptocurrency, altcoin, investment, ethereum, bitcoin crash, xrp, cardano, ripple