Ledger’s chief technology officer said Tuesday that a widely watched supply-chain attack on the Node Package Manager ecosystem “fortunately failed,” with “almost no victims,” after a phishing campaign let attackers publish malicious updates to popular JavaScript packages before the compromise was detected and shut down.
Charles Guillemet, Ledger’s CTO, stated the incident began with emails from a spoofed NPM support domain that harvested developer credentials. This allowed hackers to push tainted package versions that hook web-crypto activity across Ethereum, Solana, and other chains by swapping destination addresses inside network responses.
He added that implementation mistakes caused CI/CD pipelines to crash, triggering rapid discovery and limiting the impact size. “The immediate danger may have passed, but the threat hasn’t,” Ledger’s CTO wrote on X, urging users to favor hardware wallets and clear signing protections. The attackers only netted about $503 in crypto, according to onchain analytics firm Arkham, which said the funds went to addresses cited by Guillemet in his initial alert.
The update follows Monday’s industry-wide, as reported by The Block. Security experts urged developers and users to pause onchain activity amid a massive NPM supply-chain event targeting web3 projects. By early Tuesday, multiple crypto teams, including Uniswap, Morpho, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido, reported they were not affected.
Security collective SEAL Org called the outcome “lucky,” noting a compromised account with packages downloaded “billions” of times weekly could have yielded “untold riches” had the payload been stealthier.
While the take was minimal this time, industry veterans like Guillemet warned that software supply chain compromises remain a powerful malware vector and are becoming increasingly targeted. The Block recently covered investigative work showing attackers embedding command-and-control instructions behind Ethereum smart contracts to steer NPM-distributed malware, a sign that adversaries are blending onchain and open-source tactics to dodge detection.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
