Swathes of crypto users could be at risk of having their funds stolen following the discovery of compromised JavaScript code packages, Ledger CTO Charles Guillemet warned Monday.

NPM is a prominent package manager for JavaScript, and Guillemet said on X that the entire programming language’s ecosystem could be vulnerable after a reputable developer’s account was compromised, potentially spreading a malicious payload to various websites.

“The malicious payload works by silently swapping crypto addresses on the fly to steal funds,” he said, adding that compromised packages have been downloaded more than 1 billion times. Guillemet added that funds on "potentially all chains" could be vulnerable to the exploit.

“I would strongly recommend not signing any crypto transactions right now,” software developer Cygaar meanwhile warned, noting that “various crypto websites” could be vulnerable.

Blockchain security firm Blockaid said on X that the compromise impacts around two dozen popular packages, such as “color-name” and “color-string.” NPM hosts packages of reusable code that users can integrate into their projects.

Editor's note: This story is breaking and will be updated with additional context.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。