Hackers Exploit JavaScript Accounts in Massive Crypto Attack Reportedly Affecting 1B+ Downloads

A major supply-chain attack has infiltrated widely used JavaScript packages, potentially putting billions of dollars in crypto at risk. Charles Guillemet, chief technology officer at hardware wallet maker Ledger, warned that hackers have compromised a reputable developer’s Node Package Manager (NPM) account to push malicious code into packages downloaded more than a billion times.

The injected malware is designed to quietly swap cryptocurrency wallet addresses in transactions, meaning users could unknowingly send funds directly to attackers.

“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” Guillemet explained. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…

— Charles Guillemet (@P3b7_) September 8, 2025

Supply Chain Attack Hits Deep Into Developer Ecosystem

NPM is a core tool in JavaScript development, widely used to integrate external packages into applications. When a developer’s account is compromised, attackers can slip malware into packages that developers then unknowingly deploy in decentralized applications or software wallets.

Security researchers have warned that software wallet users are particularly vulnerable, while hardware wallets remain largely protected. According to Oxngmi, founder of DefiLlama, the code does not automatically drain wallets.

Explanation of the current npm hack

In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a "swap" button on a website, the code might replace the tx sent to your wallet with a tx sending money to…

— 0xngmi (@0xngmi) September 8, 2025

Developers who pin dependencies to older, safe versions may avoid exposure, but users cannot easily verify which sites are safe. Experts recommend avoiding crypto transactions until affected packages are cleaned up.

Phishing Emails and Account Takeover

The breach reportedly began with phishing Phishing Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Phishing is a form of cyber-attack in which fake websites, emails, and text messages are used to elicit personal data. The most common targets in this assault are passwords, private cryptocurrency keys, and credit card details.Phishers disguise themselves as reputable businesses and other types of entities. In certain instances, reputable government organizations or authorities are impersonated in order to collect this data.Because phishing relies on psychological manipulation rather than techno Read this Term emails sent to NPM maintainers, claiming their accounts would be locked unless they “updated” two-factor authentication by Sept. 10.

The fake site captured credentials, giving attackers control of developer accounts. From there, malicious updates were pushed to packages downloaded billions of times.

Related: Regulator Claims 9,000+ Clients' Data Hit Dark Web in Security Breach

Charlie Eriksen of Aikido Security said the attack operates “at multiple layers: altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing.”

ATTACK UPDATE: A massive supply-chain compromise has affected packages with over 2 billion weekly downloads, targeting *CRYPTO*

Here's how it works 👇

1) Injects itself into the browser

Hooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana,…

— Aikido Security (@AikidoSecurity) September 8, 2025

Developers and users have been urged to review dependencies and delay crypto transactions until the packages are verified as safe. The incident highlighted the risks inherent in widely used open-source software and the potential for supply-chain attacks to affect billions of users.