A major supply-chain attack has infiltrated widelyused JavaScript packages, potentially putting billions of dollars in crypto atrisk. Charles Guillemet, chief technology officer at hardware wallet makerLedger, warned that hackers have compromised a reputable developer’s NodePackage Manager (NPM) account to push malicious code into packages downloadedmore than a billion times.The injected malware is designed to quietly swapcryptocurrency wallet addresses in transactions, meaning users couldunknowingly send funds directly to attackers. “The malicious code attempts todrain users by swapping addresses used in transactions or general on-chainactivity and replacing them with the hacker’s address,” Guillemet explained.🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.The malicious payload works…— Charles Guillemet (@P3b7_) September 8, 2025Supply Chain Attack Hits Deep Into Developer EcosystemNPM is a core tool in JavaScript development, widelyused to integrate external packages into applications. When a developer’saccount is compromised, attackers can slip malware into packages thatdevelopers then unknowingly deploy in decentralized applications or softwarewallets.Security researchers warn that software wallet usersare particularly vulnerable, while hardware wallets remain largely protected. According to Oxngmi, founder of DefiLlama, the codedoes not automatically drain wallets. Users must still approve transactions,but compromised packages can silently change transaction details.Explanation of the current npm hackIn any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a "swap" button on a website, the code might replace the tx sent to your wallet with a tx sending money to…— 0xngmi (@0xngmi) September 8, 2025Developers who pin dependencies to older, safeversions may avoid exposure, but users cannot easily verify which sites aresafe. Experts recommend avoiding crypto transactions until affected packagesare cleaned up.Phishing Emails and Account TakeoverThe breach began with phishing emails sent to NPMmaintainers, claiming their accounts would be locked unless they “updated”two-factor authentication by Sept. 10. The fake site captured credentials, giving attackerscontrol of developer accounts. From there, malicious updates were pushed topackages downloaded billions of times.Charlie Eriksen of Aikido Security said the attackoperates “at multiple layers: altering content shown on websites, tamperingwith API calls, and manipulating what users’ apps believe they are signing.”ATTACK UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads, targeting *CRYPTO*Here's how it works 👇1) Injects itself into the browserHooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana,…— Aikido Security (@AikidoSecurity) September 8, 2025Technical Details of the Crypto-Targeted MalwareThe malware hooks into core browser functions andwallet APIs such as window.ethereum and Solana, allowing it to intercept bothweb traffic and wallet activity. By doing so, attackers can redirect cryptotransactions before users notice.Developers and users are urged to review dependenciesand delay crypto transactions until the packages are verified safe. Theincident underscores the risks inherent in widely used open-source software andthe potential for supply-chain attacks to affect billions of users.This article was written by Jared Kirui at www.financemagnates.com.