December 15, 2023 at 07:21PM
Ledger, a cryptocurrency wallet maker, was targeted by a malicious code inserted into its Connect Kit JavaScript library. The code rerouted funds to a hacker’s wallet, resulting in a loss of over $610,000. Despite security measures, a former employee’s compromised credentials were exploited. Ledger asserts the issue has been addressed, emphasizing improved security measures.
The meeting notes highlight the incident involving the insertion of malicious code into Ledger’s Connect Kit JavaScript library. The rogue code allowed hackers to siphon off more than half a million dollars in cryptocurrency. The compromised file was active for a short period, but managed to obtain significant funds before it was identified and addressed.
Pascal Gauthier, Ledger’s CEO, confirmed that the attack was swiftly addressed, and steps were taken to mitigate the situation. This includes identifying the attacker’s blockchain address and freezing their Tether tokens. Gauthier also emphasized that the authentic and verified version of the Ledger Connect Kit (version 1.1.8) is now safe to use.
However, concerns were raised about the security controls and practices at Ledger. It was mentioned that no one person can deploy code without multiparty review, yet a former employee fell victim to a phishing scheme, allowing unauthorized access to push through the malicious code. Additionally, it’s noted that Ledger did not have two-factor authentication in place for their NPM account, which may have prevented the phishing attack.
Revoke.cash, a service affected by the incident, reported substantial losses and indicated that it is challenging to determine which victims were compromised on its platform versus other websites. As a result, it stated that directly compensating impacted users may not be feasible and suggested that affected individuals seek reimbursement from Ledger.
It was also discussed that the method by which Connect Kit is distributed poses security risks, as developers cannot pin the library to a specific version, making it vulnerable to hijacking. Both Ledger and Revoke.cash highlighted the need for stronger security controls and practices, as well as the responsibility for potential reimbursements to affected users.
Ledger, based in France, did not provide an immediate response to requests for comment.
Overall, the meeting notes highlight the importance of implementing robust security measures and controls, especially in the distribution of software libraries, and addressing any potential financial impact on affected users.