Ledger npm Repo Breached in Spear Phishing Attack

Ledger npm Repo Breached in Spear Phishing Attack

Background

Today’s security breach at Ledger, a leader in cryptocurrency hardware wallets, has raised significant alarms in the digital assets community. The breach was facilitated through a spear phishing attack on a former employee. Apparently, the goal of the phishing attempt was exfiltration of Ledger’s npmjs publishing credentials, which proved successful. For some reason, this former employee still had valid publishing creds and once obtained, the attacker used them to publish a malicious update to the package @ledgerhq/connect-kit; the affected versions of which were 1.1.5, 1.1.6, and 1.1.7. These version used a rogue WalletConnect project, a standard tool used for connecting decentralized applications to mobile wallets, to reroute funds to the hacker-controlled wallet.

--cta--

As Ledger stated in their X post, the malicious packages were active for approximately five hours, with a critical window of less than two hours where funds were actively drained. In coordination with WalletConnect, Ledger deployed a genuine and secure version 1.1.8 of the Ledger Connect Kit, effectively neutralizing the immediate threat. However, Ledger is still advising users to wait 24 hours until using the Ledger Connect Kit again; likely because they want requests to the poisoned CDN to fall out of the cache.

Attack Dynamics

To interface with Ledger's browser extension, decentralized application frontends (dApps) include a code snippet from Ledger, executed via a connect-kit-loader proxy. This proxy dynamically fetches and executes the latest version of connect-kit from npm. Hence, once the malicious versions were published to npm, any dApp using the official connect-kit-loader would inadvertently pull a malicious version when the user selected the Ledger Wallet Provider. Needless to say, this in turn compromises any downstream applications that rely on the connect-kit-loader.

Neodyme published a short technical analysis of the actual drainer code. In it, they say

the drainer fetches encrypted configuration data from Infura, a dApp backend provider…The config contains target wallets for multiple chains and a list of 400 “researcher” pubkeys which are NOT attacked. The drainer then does the usual draining: Check which wallet providers are inserted, enumerate addresses, check balances and send drain txs to the user to sign.

Conclusion

This breach is a yet another sobering reminder of the vulnerabilities inherent in digital asset management and the sophistication of attacks targeting this space. The use of obfuscation techniques and exploitation of trusted supply chains highlights the need for continuous vigilance and advanced security measures.

Phylum Research Team

Phylum Research Team

Hackers, Data Scientists, and Engineers responsible for the identification and takedown of software supply chain attackers.