Labels

Investing (258) Lifestyle (224) Entertainment (201) Singapore (115) Rewards (95) Technology (90) Equities (78) AI (55) U.S. (54) Portfolio (51) Gaming (50) Crypto (48) Food (37) Sports (34) Movies (33) Savings (33) Travel (29) Insights (28) News (28) Data (27) Policies (24) Shows (23) Credit Card (21) Holidays (16) Tennis (16) Bonds (12) Earnings (12) World (11) Referral (10) Football (9) Promotions (9) REITs (9) Toys (8) Apps (6) Cash Management (6) Anime (5) China (5) ETFs (5) Healthcare (5) Security (5) DeFi (4) T-Bills (4) Property (3) Robotics (3) Shopping (3) Blog (2) Cashback (2) Japan (2) Retirement (2) Reviews (2) Robo-Advisor (2) 1-For-1 (1) Asia (1) Australia (1) CPF (1) Commodities (1) Currency (1) Funds Management (1) Futuristic (1) Inflation (1) Insurance (1) Malaysia (1) Miles (1) Nerfs (1) SGD (1) Social (1) Weird (1)

Wednesday, 10 September 2025

Investing Updates: Ledger CTO warns users to halt onchain transactions amid massive NPM supply chain attack


Source:



ChatGPT:


Ledger’s Chief Technology Officer Charles Guillemet has urged crypto users to exercise extreme caution following what experts describe as one of the largest supply chain attacks in history. The incident stems from the compromise of an NPM account belonging to a reputable developer, with malicious code embedded in popular JavaScript packages that collectively have been downloaded more than one billion times.

Guillemet explained that the injected code silently swaps cryptocurrency addresses, redirecting funds to attackers without user awareness. This method, he warned, could endanger countless websites and applications — including crypto projects that rely heavily on JavaScript dependencies. Developers such as @0xCygaar and @0x_ultra highlighted that widely used packages like Chalk and its dependencies were impacted, noting billions of weekly downloads.

While the packages were reportedly patched around 15:15 UTC and NPM has disabled compromised versions, concerns remain that some website frontends could still be vulnerable. The package maintainer confirmed their account was hijacked after receiving a phishing email impersonating npmjs.com. Attackers threatened account lockouts to pressure maintainers into clicking malicious links.

Guillemet emphasized that users of hardware wallets like Ledger with “clear signing” are safe, provided they verify each transaction before approval. Those relying solely on software wallets are advised to halt onchain transactions temporarily.

The attack recalls earlier high-profile thefts, such as the $1.5 billion drained from Bybit by North Korean hackers, underscoring the crypto industry’s ongoing exposure to sophisticated exploits. Developers are urged to audit dependencies immediately and ensure their applications have not pulled compromised updates.

Though mitigations are underway, security experts caution that vigilance is crucial until the full extent of the attack is confirmed.

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)