Swathes of crypto users could be at risk of having their funds stolen following the discovery of compromised JavaScript code packages, Ledger CTO Charles Guillemet warned Monday.
NPM is a prominent package manager for JavaScript, and Guillemet said on X that the entire programming language’s ecosystem could be vulnerable after a reputable developer’s account was compromised, potentially spreading a malicious payload to various websites.
“The malicious payload works by silently swapping crypto addresses on the fly to steal funds,” he said, adding that compromised packages have been downloaded more than 1 billion times. Guillemet added that funds on “potentially all chains” could be vulnerable to the exploit.
Sep 09 2025
