- Ledger Chief Technology Officer Charles Guillemet issued a warning that onchain and hardware crypto transactions may temporarily be at risk.
- “There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised,” he said.
Stay safu!
https://www.theblock.co/post/369893/ledger-warns-halt-onchain-transactions-massive-npm-supply-chain-attack
Posted by kirtash93
2 Comments
Better halt everything and wait until everything is addressed than taking the risk. Stay safe!
Here’s an explanation of this from [@0xngmi](https://x.com/0xngmi) on X:
>Explanation of the current npm hack
>
>In any website that uses this hacked dependency, it gives a chance to the hacker to inject malicious code, so for example when you click a “swap” button on a website, the code might replace the tx sent to your wallet with a tx sending money to hacker
>
>But in your wallet you’d still see the bad tx and need to approve it, its not like you’ll instantly get drained
>
>Furthermore, this will only impact websites that pushed an update since the hacked npm package was published, as other projects will have the old version
>
>And most projects pin their dependencies, so even if they push an update they’ll keep using the old safe code
>
>So your wallet is safe and the effective impact area is much smaller than “all websites”, but since you cannot really know if a project pinned dependencies, or if they have some dynamically downloaded dependency (very unlikely), it’s just safer to avoid using crypto websites till this blows over and they clean up the bad packages
The situation is obviously bad, but ledger is trying to push their products into this issue.