Ledger JS library poisoned to steal over $650,000 from wallets • The Register


Cryptocurrency wallet maker Ledger claims someone slipped malicious code into one of its JavaScript libraries to steal more than half a million dollars from victims.

The library in question is Connect Kit, which allows DApps – decentralized software applications – to connect to and use users’ Ledger hardware wallets.

Pascal Gauthier, CEO of Ledger, in a public message said a former employee was duped by a phishing attack, which allowed an unauthorized party to upload a malicious file to the company’s NPM registry account.

“The attacker published a malicious version of the Ledger Connection Kit (affecting versions 1.1.5, 1.1.6 and 1.1.7),” Gauthier said. “The malicious code used a malicious WalletConnect project to redirect funds to a hacker’s wallet.”

THE malicious file was what we call a “crypto drainer” – it siphons funds from digital wallets. And because dozens of crypto projects If you were using the Connect Kit library, the potential financial loss could have been considerable. The damage was limited, however, because the compromised file only remained active for about five hours. for about two.

During this period, it is claims that the attacker managed to obtain over $610,000 worth of crypto tokens. Revoke.cash, a service for revoking certain cryptographic transactions – which was affected by the incident – ​​reports losses in the order of $850,000.

According to Gauthier, the attack was resolved within 40 minutes of its discovery, the attacker’s blockchain address was identified, and Tether froze the attacker’s Tether tokens. The authorities, he claims, have been informed.

“The authentic and verified version of the Ledger Connect Kit, version 1.1.8, is now in circulation and safe to use,” Gauthier said.

“Secure” may be an overstatement: According to security firm Socket, which provides algorithmic assessments of NPM packages, Connect Kit currently scores 51 out of 100 for supply chain security and 55 out of 100 for the quality.

Gauthier insists that standard practice at Ledger is that no one can deploy code without a multi-party review.

“We have strict access controls, internal reviews and multi-signature code for most parts of our development,” he said. “This is the case in 99 percent of our internal systems. Any employee who leaves the company has their access to all Ledger systems revoked.”

And yet, Ledger’s account of the incident – ​​a former employee handed over his credentials to a phishing scheme, allowing a criminal to access Ledger’s NPM account to pass bad code – suggests that he This is an occasion where the company’s security controls failed.

According to Rosco Kalis, software engineer at Revoke.cash, Ledger did not have two-factor authentication in place for NPM, which likely would have prevented the phishing attack from working. Additionally, Kalis claims Ledger failed to revoke its former employee’s code publishing rights.

Gauthier called the fiasco an “unfortunate and isolated incident” and said: “Ledger will implement stricter security controls, connecting our build pipeline that implements strict software supply chain security to the channel of NPM distribution.”

The Ledger leader’s reference to the NPM distribution channel glosses over how Connect Kit is actually distributed.

Kalis pointed out that Ledger distributes Connect Kit through a content delivery network (CDN), which means developers can’t pin the library – limit it to a specific version. Instead, applications that depend on the library always fetch the latest version, which becomes problematic when the latest version has been hacked.

“Typically speaking, developers protect themselves against supply chain attacks by ‘pinning’ the versions of dependencies they install,” Kalis said.

Kalis accepted some of the blame by acknowledging that while Ledger should not have released its library in a way that did not support dependency pinning, Revoke.cash should have realized that Connect’s distribution method Kit posed a security risk.

However, Kalis is not ready to take on the burden of compensating those who lost funds.

“Due to the widespread nature of the exploit, it is impossible to determine which of the victims of the exploit were compromised on Revoke.cash and which were compromised on other websites,” he wrote . “Therefore, we unfortunately do not see this as a feasible solution for Revoke.cash or other affected websites to directly compensate affected users.”

Kalis says the only answer, in his opinion, is for victims to seek reimbursement for losses from Ledger, adding: “It is not yet known whether Ledger plans to do so.”

Ledger, based in France, did not immediately respond to a request for comment. ®

Leave a comment