Crypto Reporter
Shalini Nagarajan
Crypto Reporter
Shalini Nagarajan
Share
Crypto firms are racing to assess potential fallout after reports of a large-scale supply chain attack that compromised a widely used software library, sparking fears across the industry.
Ledger chief technology officer Charles Guillemet issued an urgent warning on Monday, urging users to pause onchain transactions. He said a malicious payload had been planted in JavaScript packages downloaded more than one billion times, a scale that could threaten the entire ecosystem.
โThereโs a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk,โ Guillemet posted on X. He added that the malware silently swaps crypto addresses on the fly to steal funds.
Developer Duped By Fake Lockout Alerts, Credentials Stolen In NPM Hack
The attack stemmed from the compromise of the NPM account of Josh Junon, known in the open-source community as โqix.โ Hackers sent phishing emails that mimicked the official npmjs.com domain, warning of an imminent account lockout.
The messages tricked Junon into clicking links that redirected to a fake login page where his credentials were harvested.
Junon later confirmed on GitHub and Bluesky that he had been duped. โSorry everyone, I should have paid more attention,โ he wrote, adding that it had been a stressful week and promising to help clean up the incident.
Some industry voices have suggested it could be the largest supply chain attack ever recorded.
Uniswap, MetaMask And Others Say They Were Not Impacted By The Breach
The malware is designed to intercept cryptocurrency transactions on blockchains such as Ethereum, Bitcoin, Solana and Tron. It specifically threatens software wallets, decentralized applications and web-based interfaces that integrate the compromised packages. By silently substituting recipient addresses, attackers can redirect funds without the user noticing until it is too late.
Companies moved quickly to reassure customers. Uniswap, Morpho, MetaMask, OKX Wallet, Sui and Aave all said they had not been affected by the breach.
Since the malicious code was live for about two hours before NPM security teams intervened, some applications likely integrated the compromised versions during that window. However, blockchain monitors said the attacker has not yet received stolen funds.
Junon also acknowledged inadvertently authorizing a reset of the two-factor authentication on his account, giving intruders further control. That lapse, combined with the phishing scheme, opened the door to the attack.
While cleanup efforts are under way, the breach has raised new questions about the resilience of open-source infrastructure underpinning much of the crypto economy. The event also shows how a single compromised developer account can ripple across a global ecosystem.
