A malicious code was slipped into one of Ledger’s JavaScript libraries, Connect Kit, leading to the theft of over half a million dollars from users, the company has said.
The Connect Kit is used by decentralized software applications (DApps) to connect to and utilize people’s Ledger hardware wallets.
According to the CEO, Pascal Gauthier, a former employee fell victim to a phishing attack, allowing the unauthorized party to upload a malicious file to the company’s NPM registry account.
The attacker uploaded the malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7) and used rogue WalletConnect project to reroute funds to a hacker wallet, Gauthier explained.
Fortunately, the compromised file was live for only about five hours and active for about two, limiting the potential financial loss. However, it’s reported that the attacker managed to obtain more than $610,000 worth of crypto tokens during this period.
The attack was discovered and addressed within 40 minutes, with the attacker’s blockchain address identified and Tether freezing the attacker’s tokens. Law enforcement has also been informed. The verified version of the Ledger Connect Kit, version 1.1.8, is now available and safe to use, according to Gauthier.
The incident has highlighted potential security issues in Ledger’s systems, prompting Gauthier to emphasize that strong access controls and multi-signature code reviews are in place. He also stated that code deployment requires multiparty review and access is revoked promptly when an employee leaves the company.
However, it appears that Ledger’s security measures fell short in this case. The lack of two-factor authentication and failure to revoke code publication rights for the former employee have been pointed out.
As for those who have suffered losses, the responsibility for compensation is unclear. Ledger has not indicated if they plan to provide reimbursement, and the affected parties may have to seek their own solutions.
The incident highlights flaws in the distribution of the Connect Kit library and the potential risks posed by the distribution method. The company is expected to strengthen its security controls and supply chain security to prevent similar incidents in the future.