Hackers compromise NPM libraries, Ledger warns of crypto theft risk

Ledger CTO Charles Guillemet has raised alarm over a “large-scale supply chain attack” targeting the JavaScript ecosystem. Hackers hijacked developer qix’s NPM account, injecting malicious code into dozens of widely used libraries.

“The malware replaces crypto addresses on the fly to steal funds. If you use a hardware wallet — double-check every transaction. Without one, it’s safer to pause on-chain transfers for now,” Guillemet warned.

High-profile libraries were affected, including chalk (300M weekly downloads), strip-ansi (261M), color-convert (193M), color-name (191M), and more.

The attack went unnoticed until developers encountered unusual build errors. Further analysis revealed obfuscated functions like checkethereumw, designed to siphon cryptocurrencies.

Although hackers only netted about $50 in Ethereum and meme tokens, security experts say the implications are serious.

“Compromising a developer with billions of downloads could expose millions of machines,” noted the Security Alliance.

NPM Security has since removed most infected versions, but users are advised to audit projects and lock dependencies to safe releases.