Pascal Gauthier, CEO of Ledger, revealed in a public post that a former employee was tricked in a phishing attack, which allowed an unapproved person to upload a malicious file to the company’s NPM registry account. Gauthier described that “the attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7),” adding that “the malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.”
This so-called “crypto drainer” file siphoned funds from digital wallets. Moreover, since various crypto projects utilize the Connect Kit library, the potential financial loss could have been significant. Fortunately, the compromised file was only live for about five hours, with two of those hours being active, and the damage was thus limited.
The attacker was able to obtain more than $610,000 worth of crypto tokens. Additionally, Revoke.cash – a service for revoking certain crypto transactions that was affected by the incident – reported losses of approximately $850,000. Gauthier explained that the attack was addressed within 40 minutes of its discovery, and that the attacker’s blockchain address has been identified, with Tether having frozen their Tether tokens. He also added that authorities have been notified.
A safe version of Connect Kit, version 1.1.8, has been released. However, according to security firm Socket, the library currently has a score of 51 out of 100 for Supply Chain Security and 55 out of 100 for Quality. Gauthier insists that standard practice at Ledger is that no one person can deploy code without a multiparty review, and that they have strong access controls, internal reviews, and multi-signature code when it comes to most parts of their development. He also added that any employee who leaves the company has their access revoked from every Ledger system.
Despite these measures, Ledger’s account of the incident suggests that company security controls fell short on this occasion. Rosco Kalis, a software engineer for Revoke.cash, noted that Ledger did not have two-factor authentication in place for NPM, which would have prevented the phishing attack from working. Furthermore, he alleged that Ledger failed to revoke code publication rights for its former employee.
Gauthier described the incident as an “unfortunate isolated incident,” and stated that Ledger will be implementing stronger security controls. Yet, Kalis pointed out that Ledger distributes Connect Kit through a content delivery network (CDN), which does not allow developers to pin the library – limit it to a specific version. Consequently, applications that depend on the library always fetch the latest release, making them susceptible to hijacking.
Kalis accepted some of the blame, acknowledging that, while Ledger should not have published its library in a way that did not support dependency pinning, Revoke.cash should have been aware of the security risk posed by Connect Kit’s distribution method. He also said that the only way for victims to be reimbursed for their losses is from Ledger, but it is unclear as to whether they plan to do so.