If you haven’t seen this, BTC Sessions posted a video here about it. A malicious package in NPM could potentially impact a large number of wallet applications that are built on Node.js. The package in question has been downloaded more than 1 billion times (so it is widely distributed). It contains code which looks for anything that matches the pattern of a bitcoin address, and swaps them out with another address that looks visually similar, but is controlled by the attacker.
On-chain transactions could potentially be impacted when using apps from Ledger, Trezor, Blockstream, Bitkey, Exodus, Nunchuk, Muun, Blue Wallet, Phoenix, Zeus, and a few others. Also potentially impacted are hardware signers from Trezor, Ledger, Bitbox 02, Blockstream Jade, Keystone, and Bitkey that use java script. Some wallet applications that are NOT affected include Sparrow, Spectre DIY, and Electrum.
Be extra careful to double and tripple check the output recipient and change addresses on your hardware signer’s screen before signing a transaction. Look closely, since the malware will try to use an address that looks similar. If anything looks wrong, then of course do not sign the transaction!
One thing that BTC Sessions didn’t mention is whether or not change addresses could be impacted (which could be impossible to verify if you are using an affected companion application since there would be nothing to cross-check against what you see on the signer’s screen). Also, I believe Core Lightning could potentially be impacted (I recall that I used NPM when building the CLN Application for Windows in this video).