Ledger CTO Warns of Large-Scale Crypto Hack Attack: What You Need to Do

A major npm maintainer’s account was hacked, pushing malicious updates to libraries with billions of downloads.
The malware swaps crypto addresses in transactions, aiming to divert funds to attackers.
Users should audit dependencies, pin safe versions, and verify all wallet transactions (hardware wallets remain safest).

A prominent npm maintainer’s account (known as Qix) was hijacked, leading to malicious updates in widely used packages such as chalk, strip-ansi, ansi-styles, and debug. These libraries collectively see billions of downloads each week, making this one of the most serious supply-chain breaches the JavaScript ecosystem has ever faced. While npm security teams are removing compromised versions, dangerous releases may still exist in cached lockfiles or indirect dependencies.

🚨 WARNING: LEDGER EXEC WARNS TO NOT DO ANY BLOCKCHAIN TRANSACTIOSN DUE TO "LARGE SCALE" CRYPTO HACK IN JAVASCRIPT pic.twitter.com/ETprvJJXZD
— BlockNews (@blocknewsdotcom) September 8, 2025

Why it matters

These libraries aren’t obscure—they are foundational building blocks inside thousands of apps, frameworks, and developer tools. When something this deep in the ecosystem is compromised, the impact cascades across startups, Fortune 500 companies, and open-source projects worldwide. The sheer scale explains why security leaders are sounding alarms beyond the developer community.

What the malware does

Researchers have identified the attack as a crypto-clipper. Its function is deceptively simple: when someone tries to send cryptocurrency, the malware silently replaces the destination address with one controlled by the attacker. To the user, nothing looks unusual until funds are gone. It doesn’t target blockchains themselves—it tricks people into signing transactions to the wrong account.

Urgent warnings for crypto users

In a striking development, a Ledger executive publicly warned users not to conduct any blockchain transactions at all while the hack is ongoing, calling it a “large-scale” crypto security incident tied to the compromised JavaScript packages. This warning highlights the seriousness of the attack, especially for those relying on browser wallets or software-based signing.

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk.

The malicious payload works…
— Charles Guillemet (@P3b7_) September 8, 2025

What you should do now

Audit and pin. Lock dependencies to the last known-safe versions and rebuild from scratch.
Verify every transaction. Hardware wallets remain the safest option—always confirm addresses directly on the device.
Pause if possible. If you rely on software wallets, consider delaying on-chain activity until the situation stabilizes.

What’s next

Expect continuous updates from npm, maintainers, and security firms as remediation advice is issued. This attack follows a wave of recent npm compromises, showing that attackers are deliberately targeting open-source infrastructure. Developers are urged to enable 2FA on npm accounts, rotate credentials, and add CI checks to flag suspicious code changes.

Disclaimer: BlockNews provides independent reporting on crypto, blockchain, and digital finance. All content is for informational purposes only and does not constitute financial advice. Readers should do their own research before making investment decisions. Some articles may use AI tools to assist in drafting, but every piece is reviewed and edited by our editorial team of experienced crypto writers and analysts before publication.

Tags: crypto Hack Ledger npm Qix security