Ledger, a prominent hardware wallet provider, issued a warning to users after a supply chain attack targeted its “Ledger dApp Connect Kit” library. The malicious code injected into the library included a JavaScript wallet drainer, resulting in the theft of $600,000 in cryptocurrencies and NFTs. The compromised library, versions 1.1.5 through 1.1.7, was injected via a compromised NPM account during a phishing attack on a former employee. Despite the swift removal of the malicious version and the deployment of a clean version (1.1.8), Ledger urges users to exercise caution, avoid interacting with DApps, and replace potentially impacted projects with the clean library.
According to Ledger, the attacker, exploiting a breached NPMJS account, published the rogue version of the Ledger Connect Kit and utilized a WalletConnect project to reroute funds to a hacker wallet. The compromised library was available for approximately five hours, during which the wallet drainer sought to automatically steal crypto and NFTs from connected wallets. Ledger assures users that its core hardware (Ledger device) and the main software application (Ledger Live) for managing cryptocurrency assets remain uncompromised. However, the incident underscores the ongoing threats to the supply chain in the cryptocurrency space, necessitating heightened security measures and vigilance among users.
The compromise began with version 1.1.5, and the attacker left a message in the code, indicating potential testing. Versions 1.1.6 and 1.1.7 contained heavily obfuscated malicious JavaScript code, marking a more sophisticated attack. While the investigation is ongoing, initial reports suggest approximately $680,000 was stolen during the supply chain attack. Ledger has taken steps to address the incident promptly, reporting the hacker’s wallet addresses and freezing stolen USDT (Tether). Despite these actions, the cryptocurrency community faces persistent challenges in securing supply chains against evolving threats, emphasizing the importance of continuous monitoring and swift response mechanisms.
Reference link
