Odaily Planet Daily reported that Ledger CTO Charles Guillemet wrote, "A large-scale supply chain attack is currently underway: a well-known developer's NPM account has been compromised. The affected packages have been downloaded over 1 billion times, which means the entire JavaScript ecosystem may be at risk.

The malicious code works by silently tampering with cryptocurrency addresses in the background to steal funds.

If you use a hardware wallet, double-check every signed transaction and you’ll be safe.

If you are not using a hardware wallet, please avoid any on-chain transactions for now.

It is not yet clear whether the attackers have been directly stealing mnemonics from software wallets.

If you're using a Ledger or other hardware wallet that supports clear signatures, you're not affected. My previous tweet was a reminder: users who don't use hardware wallets that support clear signatures are at risk. Please be sure to carefully review every transaction before signing.

More details can be found in the detailed report .”