A supply chain attack against Crypto hardware wallet maker Ledger resulted in the theft of $600,000 in virtual assets.
Threat actors pushed a malicious version of the “@ledgerhq/connect-kit” npm module developed by crypto hardware wallet maker Ledger, leading to the theft of more than $600,000 in virtual assets.
Once the attack was discovered, the Crypto hardware wallet maker Ledger published a new version (version 1.1.8) of its npm module. The malicious npm module (2e6d5f64604be31) has been removed from the repository.
Threat actors launched a phishing attack against a former employee obtaining his credentials and access to the Ledger’s NPMJS account.
The initial observation suggests that the account probably did not have Multi-Factor Authentication (MFA) enabled.
Then threat actors uploaded three malicious versions of the module (1.1.5, 1.1.6, and 1.1.7) that included a crypto drainer malware.
Every application depending on the malware-laced module was compromised as a result of the supply chain attack.
The malicious code used a rogue WalletConnect project to hijack funds to a wallet under the control of the attackers. The security teams at Ledger were alerted and fixed the issue within 40 minutes of they becoming aware.
“This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7).” continues the report. “The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware.”
The malicious version of the module was live for around 5 hours. Ledger, with the help of WalletConnect, quickly disabled the rogue project.
Ledger, WalletConnect and their partners identified the attackers’ wallet address (0x658729879fca881d9526480b82ae00efc54b5c2d), and Tether has frozen their funds.
(SecurityAffairs – hacking, Supply chain attack)