A large-scale NPM supply chain attack targeting crypto developers and users failed to inflict major damage, with attackers stealing less than $505, according to Ledger’s CTO.
Attack Originated From Phishing Campaign
On Monday, attackers launched a phishing campaign using a spoofed NPM support domain, tricking some developers into revealing credentials. This allowed hackers to publish malicious updates to widely used JavaScript packages that targeted web3 and DeFi applications.
The compromised packages attempted to hijack crypto activity by swapping wallet destination addresses in network responses across Ethereum, Solana, and other blockchains.
Limited Damage Due to Implementation Errors
Ledger CTO Charles Guillemet stated on Tuesday that the attack was contained quickly due to implementation mistakes in the malicious code. The errors caused CI/CD pipelines to crash, exposing the compromise and limiting its impact.
“Fortunately, the incident failed, and there were almost no victims,” Guillemet wrote on X, urging users to rely on hardware wallets and clear signing protections for additional security.
Onchain data from Arkham shows the attackers only netted $503 worth of crypto, which was transferred to addresses flagged in Guillemet’s initial alert.
Industry Response
The incident prompted temporary caution across the sector. Security groups and projects advised developers and users to pause onchain activity until the scope of the compromise was clear.
Popular browser wallet MetaMask also said on X
By Tuesday, major web3 teams including Uniswap, Aave, MetaMask, Morpho, OKX Wallet, Lido, Trezor, and Sui confirmed that they were not affected.
Security collective SEAL Org called the outcome “lucky,” warning that a single compromised account with packages downloaded billions of times weekly could have caused catastrophic losses if the payload had been stealthier.
Supply Chain Threats Remain Critical
Although the financial impact was minimal, experts caution that software supply chain attacks remain one of the most potent cyber risks in crypto and web3. Recent investigations show that attackers are embedding command-and-control instructions in Ethereum smart contracts, enabling NPM-distributed malware to evade detection by blending onchain tactics with open-source infrastructure.
“While this event was contained, the threat hasn’t disappeared,” Guillemet stressed, adding that the industry must remain vigilant against supply chain compromises.
Disclaimer
This content is for informational purposes only and does not constitute financial, investment, or legal advice. Cryptocurrency trading involves risk and may result in financial loss.