Ledger CTO warns: NPM account is compromised, which may affect the entire JavaScript ecosystem

According to Bijie.com, on September 9 (UTC+8), Ledger Chief Technology Officer (CTO) Charles Guillemet warned that a large-scale supply chain attack is underway, and the NPM account of a well-known developer was hacked, and the cumulative downloads of the affected software packages have exceeded 1 billion times, which may affect the entire JavaScript ecosystem. Malicious code tampers with encrypted addresses during the transaction to steal funds. It is not clear whether the attacker directly stole the software wallet mnemonic words. Guillemet said that using hardware wallets with clear signatures is relatively low risk, but each transaction still needs to be carefully verified; users who do not use hardware wallets should temporarily avoid on-chain transactions. He added that the attack "potentially affects all chains."