NPM Supply Chain Attack: Crypto Wallets at Risk, Ledger CTO Warns

Crypto Community on High Alert Following NPM Supply Chain Attack

A significant supply chain attack targeting the JavaScript ecosystem has put millions of crypto users and developers at risk. Malicious code injected into popular Node Package Manager (NPM) packages has the potential to compromise thousands of blockchain wallets and applications.

Compromised Packages Distribute Crypto-Clipping Malware

Ledger CTO Charles Guillemet has alerted the community to a compromised NPM account that resulted in malicious updates to widely used packages such as error-ex, color-convert, and strip-ansi. Security researchers have identified the injected malware as a "crypto-clipper." This malware silently intercepts wallet addresses during network requests and replaces them with attacker-controlled addresses.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

The malware activates regardless of crypto wallet detection. However, if a wallet like MetaMask is present, the malware directly manipulates transaction requests. It scans for wallet addresses across multiple networks, including Bitcoin, Ethereum, Solana, Tron, and Litecoin.

The attacker replaces legitimate addresses with similar-looking ones using a string-matching algorithm, making the switch difficult to detect. This highlights the ever-present need to fortify wallet security.

The malicious code was initially discovered following a build failure during a pipeline run. Instead of version 1.3.2, the system installed a newly published 1.3.3 version of error-ex. This version contained obfuscated code, including a function named checkethereumw, which was confirmed to be stealing crypto data.

Recommendations and Industry Response

Guillemet advises hardware wallet users to meticulously verify each transaction before signing. Those without hardware wallets are urged to pause on-chain transactions until the threat is resolved. It remains unclear if seed phrases are at risk from software wallets.

Solana's Jupiter DEX aggregator has stated that its platform is unaffected, as they do not use the compromised package versions. The team has reviewed their source code to ensure user safety.

Regarding the recent NPM supply-chain attack:

Both Jupiter and Jup Mobile users are completely unaffected by the vulnerability.

We’ve confirmed across the source code that none of the affected package-versions exist in any Jupiter product.

Users are safe ✅ https://t.co/6Gee2mcN97

— Jupiter (🐱, 🐐) (@JupiterExchange) September 8, 2025