Ledger, the company behind the Ledger hardware cryptocurrency wallets, has disclosed information about a compromise in its NPM registry. This compromise led to the insertion of malicious code into the JavaScript library called Ledger Connect Kit, which is used for decentralized web applications to access cryptocurrencies. The attackers managed to release fake versions of Connect Kit that contained code designed to deceive victims and steal funds from their wallets. You can read more about this incident here.
The malicious code was present in versions 1.1.5, 1.1.6, and 1.1.7 of Connect Kit, but it was removed in the legitimate update 1.1.8. The attackers gained access to the NPM registry through a phishing attack, which allowed them to obtain the login credentials of a former Ledger employee. The success of the attack was attributed to the dismissal of the employee and the use of a content delivery network that didn’t allow for attachment to a specific verified version of the library. This meant that applications always used the latest version, including the compromised ones. More information about the attack can be found here.
Before the compromise and removal of the malicious code, the compromised version of the library was available for download for approximately five hours. However, according to Ledger’s assessment, the actual time for the attack on the victims’ funds was limited to a two-hour interval. To redirect funds to the attackers’ wallet, a front project involved in the WalletConnect service was used. This service is currently blocked. It was determined that at least $610,000 was stolen from victims’ cryptocurrencies. Data from Revoke.cash suggests that the total amount stolen from various sites using Connect Kit exceeded $850,000. You can find more information about the impact of the attack