A supply chain attack on crypto hardware wallet Ledger led to the theft of $600K

Pierluigi Paganini December 18, 2023

A supply chain attack against Crypto hardware wallet maker Ledger resulted in the theft of $600,000 in virtual assets.

Threat actors pushed a malicious version of the “@ledgerhq/connect-kit” npm module developed by crypto hardware wallet maker Ledger, leading to the theft of more than $600,000 in virtual assets.

Once the attack was discovered, the Crypto hardware wallet maker Ledger published a new version (version 1.1.8) of its npm module. The malicious npm module (2e6d5f64604be31) has been removed from the repository.

Threat actors launched a phishing attack against a former employee obtaining his credentials and access to the Ledger’s NPMJS account.

“Today we experienced an exploit on the Ledger Connect Kit, a Javascript library that implements a button allowing users to connect their Ledger device to third party DApps (wallet-connected Web sites). This exploit was the result of a former employee falling victim to a phishing attack, which allowed a bad actor to upload a malicious file to Ledger’s NPMJS (a package manager for Javascript code shared between apps).” reads the letter from ledger chairman & CEO Pascal Gauthier. “We worked swiftly, alongside our partner WalletConnect, to address the exploit, updating the NPMJS to remove and deactivate the malicious code within 40 minutes of discovery. This is a good example of the industry working swiftly together to address security challenges.” 

The initial observation suggests that the account probably did not have Multi-Factor Authentication (MFA) enabled.

Then threat actors uploaded three malicious versions of the module (1.1.5, 1.1.6, and 1.1.7) that included a crypto drainer malware.

Every application depending on the malware-laced module was compromised as a result of the supply chain attack.

The malicious code used a rogue WalletConnect project to hijack funds to a wallet under the control of the attackers. The security teams at Ledger were alerted and fixed the issue within 40 minutes of they becoming aware. 

“This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7).” continues the report. “The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware.” 

The malicious version of the module was live for around 5 hours. Ledger, with the help of WalletConnect, quickly disabled the rogue project. 

Ledger, WalletConnect and their partners identified the attackers’ wallet address (0x658729879fca881d9526480b82ae00efc54b5c2d), and Tether has frozen their funds.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Supply chain attack)

you might also like

leave a comment