Charles Guillemet, the Chief Technology Officer at Ledger, has alerted the community about a significant supply chain attack targeting the Node Package Manager (NPM). The attack involves the compromise of a reputable developer's NPM account, resulting in malicious code being inserted into packages that have been downloaded over a billion times. The malicious code is designed to swap crypto wallet addresses during transactions, potentially directing funds to the attackers without users' knowledge. Guillemet emphasizes the broader implications of this event, highlighting the interconnected nature of open-source software and the risks posed by security flaws in development tools. The CTO did not reveal the compromised developer's identity but points out that any decentralized application or software wallet utilizing these affected packages could be vulnerable. He recommended using hardware wallets with secure screens for verifying transaction details. This situation serves as a reminder for users to always verify their transactions and use technology that ensures they're interacting with the intended wallet addresses.

Source 🔗