Key Highlights:
- A major supply chain attack compromised npm packages such as “debug” and “chalk” that are widely used by JavaScript and EthereumJS projects.
- Attackers injected malicious code that silently swapped cryptocurrency addresses during transactions.
- The attack failed due to coding errors.
A huge supply chain attack targeting the widely used JavaScript package “debug” (a tool that developers use to log information and troubleshooting apps), was revealed today, September 9, 2025. In this hack, instead of attacking any of the individual projects, hackers managed to compromise this tool which allows malicious code to spread wherever it was installed. Since Ethereum JS libraries and a lot of other projects mainly rely on “debug,” the risk of data theft or deep breaches was significant.
The attack was disclosed on the project’s GitHub issue tracker, where maintainers confirmed that attackers had gained access to publishing credentials. Ledger’s CTO, Charles Guillemet, had posted about this threat yesterday on X and tried to warn users. However, the CTO has now confirmed that the update was quickly detected and the number of victims was minimal because the flawed code caused crashes in CI/CD pipelines, raising red flags early on.
What Happened?
On September 9, 2025, it has been revealed by the security experts that hackers managed to break into the NPM account of a trusted developer (Josh Junon) and pushed out a fake update (v4.4.2) of the popular “debug” package. This tool or package is used in the JavaScript world and EthereumJS libraries a little too much, with over 2 billion weekly downloads, so the attack had the capacity to spread to many apps and systems.
The malicious code had been designed here in such a way that it could secretly swap out real cryptocurrency wallet addresses with the attacker’s own, stealing funds without the users noticing. Since most of the companies that use open-source tools like “debug” without questioning them, a single poisoned update could have spread like a wildfire. But in practice, the attackers’ implementation mistakes caused failure that made detection far easier. This led to limited spread and prevented widespread theft.
How Did the Attack Work?
As mentioned above, the attackers compromised developer’s NPM credentials and pushed a malicious update of the “debug’ package. What the developer did not know was, there was a hidden function that secretly replaced legitimate crypto wallet addresses with the ones controlled by the hackers. Whenever apps using this package generated blockchain transactions, the funds were redirected without the users ever noticing, but because the update crashed pipelines, the attempt backfired and was stopped early.
Could It Get Worse?
Even though this attack failed, it shows how risky the situation would have been if the CI/CD pipelines had not crashed. Poisoned updates could have acted like Trojan horses and they would have embedded themselves into various projects. If this attack was executed with more precision, it would have affected financial apps, exchanges and even non-crypto platforms that depend on the same tools.
Ledger CTO had emphasized in this X post, users of hardware wallets with clear transaction signing remain protected, as they can verify details before signing and prevent silent address swaps.
Precautions to Take Immediately
- Make sure that you run npm ls debug in your project’s directory and if you happen to see version 4.4.2 installed, remove it immediately and do a clean reinstall from a trusted source.
- If you are not using a hardware wallet with clear transaction signing, try not to carry out any blockchain transactions until this threat is fully mitigated.
- Hardware wallets as mentioned by Ledger CTO provide a safety layer which requires manual approval of transaction details so one can easily spot unauthorized address changes.
- Make sure that your verify the recipient address on transaction confirmation screens before signing.
- Follow official repos, npm advisories and reliable security channels for updates on the incident.
Also Read: OpenLedger (OPEN) Surged 200% Today- Here’s Why the Rally Ignited
