Ledger‘s Guillemet said on X that a reputable developer’s NPM account was compromised and that affected packages have been downloaded more than 1 billion times, raising exposure concerns for developers.

“There’s a large-scale supply chain attack in progress … the entire JavaScript ecosystem may be at risk,” he wrote on X, adding that the malicious code “silently swaps crypto addresses on the fly to steal funds.”

He advised people who do not use a hardware wallet to refrain from making onchain transactions for now, and urged all users to review transaction details before signing. He said it remains unclear whether the attacker is stealing seed phrases from software wallets.

“For users of Ledger or other hardware wallets with clear signing, you are not at risk,” Guillemet added, emphasizing that clear signing and manual verification protect against address-swapping malware.

Separate security outlets also reported ongoing NPM account compromises affecting widely used packages, with some describing the campaign as one of the largest of its kind to date. Guillemet said the impact could span “potentially all chains.”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。