Ledger CTO: Large-scale supply chain attacks are occurring, and the entire JavaScript ecosystem may be at risk

According to ChainCatcher, Charles Guillemet, chief technology officer of Ledger, said, "A large-scale supply chain attack is happening: a well-known developer's NPM account is being hacked. The affected package downloads have exceeded 1 billion times, which means the entire JavaScript ecosystem may be at risk. The malicious code works by silently tampering with cryptocurrency addresses in the background to steal funds. If you use a hardware wallet, carefully check every signed transaction and you are safe. If you are not using a hardware wallet, please avoid any on-chain transactions for the time being. It is not clear whether the attacker is already stealing the mnemonic words of the software wallet directly. If you are using Ledger or other hardware wallets that support clear signatures will not be affected. My previous tweet was a reminder: There is a risk for users who do not use hardware wallets that support clear signatures. Be sure to carefully check every transaction before signing. For more details, see the detailed report.”