A compromised NPM account of open source developer qix triggered a large-scale supply chain attack, with Ledger’s CTO warning that crypto software wallets face heightened risks from malware that silently swaps wallet addresses.
A major security incident has exposed critical risks in the open-source ecosystem, after the Node Package Manager (NPM) account of open-source developer qix was compromised. Ledger’s Chief Technology Officer Charles Guillemet warned of a “large-scale supply chain attack targeting crypto software wallets” following the breach.
Attackers used the compromised NPM packages to distribute malware that scans and exploits crypto wallets. The malware alters transaction-signing code to divert funds, with Guillemet noting: “The malicious payload works by silently swapping crypto addresses on the fly to steal funds.” He stressed that software wallets face greater risk than hardware wallets.
Advising caution, Guillemet urged: “If you use a hardware wallet, pay attention to every transaction before signing and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now.” DefiLlama developer 0xngmi added that only websites updating since the hacked packages were published are at risk, advising users it is “safer to avoid using crypto websites till this blows over and they clean up the bad packages.”
The compromised packages had been downloaded over one billion times from NPM, which serves as a core registry and library for JavaScript and is heavily relied upon across open-source development.
While major platforms including MetaMask, Uniswap, Aave, and Jupiter confirmed they remain unaffected, the incident has raised alarm over the fragility of open-source supply chains.
In a related breach, SwissBorg exchange reported hackers stole 193,000 SOL—worth about $41.5 million—via a compromised partner API, impacting less than 1% of users.
The incident underscores the urgent need for stronger security practices, code auditing, and dependency management within open source software supply chains.
