Ledger CTO Charles Guillemet has sounded the alarm on a major supply chain attack targeting the JavaScript ecosystem.
The exploit comes after a reputable developer’s NPM account was compromised, pushing malicious code into widely used packages with over 1 billion downloads.
On X, Guillemet wrote:
“There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.”
There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.
The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025
The injected payload is designed to silently replace crypto addresses during transactions. If a user pastes or inputs a wallet address, the code swaps it with the attacker’s address—stealing funds without the victim realizing.
NPM has already disabled the compromised versions, but Guillemet cautions that risks may remain, especially on frontend applications still relying on cached or unpatched code.
He advised:
At this stage, it’s not clear if the attacker is also harvesting seed phrases from software wallets.
The attack has triggered responses across the Solana ecosystem. Protocols and wallets quickly issued statements clarifying their exposure—or lack thereof.
Drift Protocol
Solana-based Drift Protocol
Drift confirms that Drift's SDK and UI are not affected by the large-scale NPM supply chain attack.
None of the compromised packages were identified in Drift's codebase.
For the safety of the community, Drift advises users to temporarily refrain from signing transactions until…
— Drift (@DriftProtocol) September 8, 2025
confirmed that both its SDK and UI remain unaffected. The team advised users to stay alert when signing any transactions until wallets fully confirm safety.
Popular Solana wallet Solflare
Solflare users are not at risk
We enforce version locking to protect from supply-chain attacks. Minor versions get bumped and merged only after a thorough code review.
Security is our #1 priority.
Stay safehttps://t.co/MSYDegKeIO
— Solflare – The Solana Wallet (@solflare) September 8, 2025
said its users are not at risk. The team pointed to safeguards like version locking and thorough code reviews before merging updates. Minor version changes are never pushed without review.
Kamino Finance
Kamino Finance co-founder @y2kappa
Confirming the Kamino app does not have a dependency on the affected packages. https://t.co/FVj0KyAMX4
— Marius | Kamino (@y2kappa) September 8, 2025
responded, confirming Solana’s leading lending protocol is not exposed. The Kamino app has no dependency on the compromised NPM packages.
Marinade Finance
Staking giant Marinade Finance
We are monitoring the ongoing NPM supply chain attack.
After double-checking our systems, Marinade is not affected. Still, we advise everyone to stay vigilant as the situation unfolds.
We’ll continue to track this closely and keep the community updated. https://t.co/8CRq9rFZtt
— Marinade
(@MarinadeFinance) September 8, 2025
said it is monitoring the situation closely. Initial checks show no impact, but the team urged users to remain vigilant as details unfold.
Jupiter Exchange
Solana’s top DEX aggregator Jupiter Exchange
Regarding the recent NPM supply-chain attack:
Both Jupiter and Jup Mobile users are completely unaffected by the vulnerability.
We've confirmed across the source code that none of the affected package-versions exist in any Jupiter product.
Users are safe
https://t.co/6Gee2mcN97
— Jupiter (
,
) (@JupiterExchange) September 8, 2025
confirmed it is safe. Neither the Jupiter web app nor Jup Mobile relies on the compromised versions.
Supply Chain Attacks: A Growing Risk
This incident highlights the fragility of open-source ecosystems. With NPM packages embedded across thousands of projects, a single compromised account can spread malicious code to millions of users overnight.
The risk is amplified in crypto, where address swaps can directly drain wallets. Unlike traditional hacks, supply chain attacks exploit trust in widely used libraries, slipping past most developers and security tools.
Guillemet’s advice is clear:
As of now, the attack appears contained, with NPM disabling malicious versions. But questions remain. Is the attacker only hijacking addresses—or also attempting to exfiltrate seeds from software wallets? The answer could determine whether this is an inconvenience for careless users or a catastrophic breach across the industry.
For now, caution is the rule. Guillemet’s warning underscores how even one compromised developer account can threaten an entire ecosystem. With over 1 billion downloads at risk, this NPM attack may go down as one of the most significant supply chain compromises in recent memory.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
Also read: Dogecoin And Shiba Inu Lose Momentum As Market Attention Shifts Toward Rollblock’s Viral Growth Story
