A major security scare in the open-source software world appears to have been contained. Ledger’s chief technology officer, Charles Guillemet, confirmed Tuesday that a high-profile supply chain attack on the Node Package Manager (NPM) ecosystem caused “almost no victims,” thanks to early detection and technical failures on the attackers’ side.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
— Charles Guillemet (@P3b7_) September 9, 2025
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
How the Attack Unfolded
According to Guillemet, the incident began when hackers launched a phishing campaign using spoofed emails that mimicked NPM’s support domain. By tricking developers into handing over credentials, the attackers gained access to publish malicious updates to widely used JavaScript packages.
The compromised packages attempted to intercept crypto transactions by altering destination addresses in network responses across chains such as Ethereum and Solana. However, flaws in the attackers’ implementation caused continuous integration and deployment (CI/CD) systems to crash, quickly exposing the breach.
“This time, the immediate danger may have passed, but the threat hasn’t,” Guillemet warned in a post on X, urging users to rely on hardware wallets and transparent signing protections.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
— Charles Guillemet (@P3b7_) September 9, 2025
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
Limited Damage, Major Risk
Blockchain analytics firm Arkham estimated the attackers only stole around $503 in cryptocurrency before their operation was shut down. The funds were linked to the same addresses highlighted in Guillemet’s initial alert.
Despite the relatively small losses, experts stressed how dangerous the incident could have been. SEAL Org, a security collective, noted that one compromised NPM account had packages downloaded billions of times per week. If the malicious payload had been more sophisticated, the outcome could have been catastrophic.
By early Tuesday, several major crypto projects — including Uniswap, Morpho, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido — confirmed they were unaffected by the breach.
The Bigger Picture
While this particular attack was quickly contained, security researchers warn that supply chain compromises remain one of the most effective tactics for targeting the crypto ecosystem. Recent investigations suggest attackers are blending onchain techniques with open-source malware distribution, even embedding command-and-control instructions inside Ethereum smart contracts to control malicious code spread through NPM.
