NPM crypto attack contained with minimal losses – Ledger CTO
A phishing hit on NPM let attackers push tainted package updates that swapped wallet addresses. Crashes exposed the breach quickly, limiting losses to about $503.
A widely watched NPM supply‑chain incident was contained with almost no victims, according to Charles Guillemet, CTO of Ledger. He said the attack started with phishing emails from a spoofed NPM support domain that stole developer credentials, letting the actor publish malicious package updates.
The injected code targeted web‑crypto flows across Ethereum, Solana and other chains by swapping destination addresses inside network responses. This is a classic way to hijack transactions without user notice. But implementation mistakes caused CI/CD pipelines to crash, which led to early discovery and limited the impact.
The attack fortunately failed, with almost no victims,Charles Guillemet, CTO of Ledger
By early Tuesday, multiple teams, including Uniswap, Morpho, MetaMask, OKX Wallet, Sui, Aave, Trezor and Lido, said they were not affected. On‑chain analytics firm Arkham estimated the attacker netted about $503, tracking funds to the addresses flagged in Guillemet’s initial alert.
Security collective SEAL Org called the outcome “lucky,” noting that a compromised account with packages downloaded billions of times weekly could have caused far greater damage if the payload had been stealthier.
Guillemet stressed that software supply‑chain compromises remain a powerful malware vector and are getting more targeted. He urged users toward hardware wallets and protections like Clear Signing and Transaction Checks; these features show exactly what you’re approving and can flag suspicious activity before it’s signed.
In follow‑up coverage, researchers pointed to a broader trend: adversaries are blending on‑chain and open‑source tactics, even hiding command‑and‑control cues behind Ethereum smart contracts to steer NPM‑distributed malware, to evade standard detection.
Recommended