Polygon Resolves Finality Lag After Major NPM Supply Chain Attack

Polygon has finally fixed the delay caused by the massive NPM attack. Though it is taking 10 to 15 minutes longer than usual for transactions to be fully confirmed, the chain is still up and running, and blocks and checkpoints keep being made like they always do. The good news is that Polygon’s team quickly figured out how to fix the problem and is already sending it out to all validators and service providers.

Everything is being monitored closely, and updates are being shared on their status page. Polygon has confirmed that its PoS and Agglayer libraries were unaffected by any vulnerabilities, so the delay appears to be just a network technical glitch, not a security issue.

NPM Supply Chain Attack Rocks JavaScript

Just days earlier, a major supply chain attack shook the developer world and by extension, the crypto world too. The NPM account of a highly trusted developer got hacked via a phishing email. Hackers used the compromised account to publish malicious updates to popular JavaScript packages like chalk, debug, and strip-ansi. Collectively, these packages see over 2 billion downloads every week.

According to the Ledger CTO, Charles Guillemet, this was one of the largest supply chain attacks in NPM’s history. The malware worked by silently swapping out real crypto wallet addresses for attacker-controlled ones right at the moment users signed transactions.

Anatoly Makosov, the chief technology officer of The Open Network (TON), said that only specific versions of 18 packages were compromised and that rollbacks were already published. Breaking down the mechanics of the attack, Makosov said compromised packages functioned as crypto clippers, which silently spoofed wallet addresses in products that relied on the infected versions.

How Widespread Was the Impact?

According to a report, during the window when the malicious versions were live only about two hours at least 10% of cloud environments had already received the tainted code.

The malicious versions include obfuscated code that silently embeds a browser-side interceptor into frontend bundles. When a user’s browser visiting the website loads an affected page, the code activates and wraps core web APIs (including fetch and XMLHttpRequest), as well as wallet interfaces such as window.ethereum.request and Solana signing methods, thereby placing itself between the app and both the network and the wallet.

The code then scans responses and transaction payloads for blockchain addresses (ETH, BTC, SOL, TRX, LTC, BCH). If it identifies any money-moving actions, it silently rewrites the recipients, spender addresses, and ERC-20 approvals / allowances to attacker-controlled values, going so far as to use look-alike substitutions so that the UI still appears relatively normal from the user’s perspective. Because the swap happens before the user signs, victims can end up approving or sending currency to the attacker while believing all is well.

Why This Matters

If you use a hardware wallet like Ledger, make sure you double-check the transaction details on the device’s screen before approving. This extra step can stop the malicious address swap from working. If you’re using a software wallet, it’s safest to pause any on-chain activity until the issue is fully resolved.

Developers should review if their projects use any of the affected packages, pin older safe versions, or wait for clean updates to be published. While the attack hit the JavaScript ecosystem, no evidence suggests that other blockchains themselves were compromised. Still, any crypto app built on web technologies especially those interacting with wallets could be affected. So far, no one has confirmed that this attack led to stolen funds.

Final Thoughts

These events show how weak software security can be, from a technical problem on one network to a global software attack through trusted libraries. In both cases, quick action and clear communication kept things from getting too bad.

Also Read: SharpLink Kicks Off $1.5B Buyback, Repurchases 1M $SBET Shares