Ledger, a provider of cryptocurrency wallets, has reported a significant loss for its users. Criminals distributed a malicious version of the Ledger Connect Kit through a phishing attack on a former employee. This kit is a crucial JavaScript library that links Ledger crypto wallets to third-party applications, also known as wallet-connected websites.
Yesterday, a former Ledger employee fell victim to a phishing attack, resulting in hackers gaining access to his NPMJS account. NPMJS is a central package manager for the JavaScript environment Node.js, claiming to be the world’s largest software repository. It hosts a vast archive of public, private, and commercial packages.
Having accessed the former employee’s account, the attackers spread an infected version of the Ledger Connect Kit. This compromised version used a rogue WalletConnect project to divert funds from Ledger users to the attackers’ wallets. The malicious code was active for about five hours, with cryptocurrency theft occurring over two hours. Crypto-researcher ZachXBT estimates the loss to be over $600,000. Ledger has committed to assisting the victims in recovering their funds and confirmed that the attack was limited to third-party apps using the Ledger Connect Kit.
Ledger claims that it is typically impossible for an ex-employee to distribute malicious software versions. New versions are supposed to be reviewed by multiple parties before release. Additionally, employees leaving the company should lose access to Ledger systems. However, Ledger has not explained why these protocols failed, describing it as an ‘isolated incident’. They have since rolled out a clean version of the Ledger Connect Kit and updated the ‘secrets’ for distributing code through Ledger’s GitHub.