- Hardware wallets mitigate such vectors; Clear Signing and Transaction Checks confirm amounts, recipients, blocking address swaps before approval.
- Recommended defenses include hardware security keys, restricted publish rights, dependency pinning, small test transfers, cold storage migration policies.
A failed supply-chain intrusion tested crypto users this week. Ledger’s chief technology officer, Charles Guillemet, said attackers stole developer credentials via a fake npm support email and pushed altered package updates.
The injected code targeted browser-based crypto activity. It hooked into requests on Ethereum, Solana, and other chains to replace destination addresses inside network responses. In plain terms: a user could sign a normal-looking action while funds rerouted elsewhere.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
— Charles Guillemet (@P3b7_) September 9, 2025
Build crashes in continuous-integration pipelines exposed the problem early, and reported impact stayed low. The attempt still shows how one compromised dependency can reach thousands of wallets at once. Software wallets and exchange accounts sit closest to that path. When new code runs, keys or transactions face risk.
“It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity, hooking into Ethereum, Solana and other chains to hijack transactions, and replacing wallet addresses directly in network responses.
The attack path is straightforward
A phish captures credentials. A malicious update ships. Developers or users pull the package. The altered code executes in a site or app and intercepts web calls. Address fields change on the fly. The screen may show one target while the network sends another. This is the cold reality of software supply chains.
Hardware wallets reduce this risk. Keys remain on the device. Clear Signing shows human-readable fields—asset, amount, and recipient—on a trusted screen. Transaction Checks flag unusual patterns before approval. If the device display and the app view differ, the user can refuse to sign. That extra confirmation breaks the scheme.
Practical steps follow from this episode
Teams should restrict publish rights, require hardware security keys for registry access, and pin dependencies. Developers should review diffs for packages that touch signing or address handling. Users can send small test transfers, verify addresses on the hardware screen, and move larger balances to cold storage. Exchanges can whitelist withdrawal addresses and monitor for front-end script drift.
The attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited impact. Still, this is a clear reminder: if your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge.
Hardware wallets are built to withstand these threats. Features like Clear Signing let you confirm exactly what’s happening, and Transaction Checks flag suspicious activity before it’s too late.”
Markets often forget operational risk until code breaks. This week’s near-miss is a simple lesson: custody design matters, and verification at the point of signature is the control that counts.
