Cryptocurrency wallet maker Ledger says someone slipped malicious code into one of its JavaScript libraries to steal more than half a million dollars from victims.
The library in question is Connect Kit, which allows DApps - decentralized software applications - to connect to and use people's Ledger hardware wallets.
Pascal Gauthier, CEO of Ledger, in a public post said a former employee had been duped by a phishing attack, which allowed an unauthorized party to upload a malicious file to the company's NPM registry account.
Because dozens of crypto projects utilize the Connect Kit library, the potential financial loss could have been considerable.
The damage however was limited because the compromised file was only live for about five hours and active for about two.
During this period, it's claimed that the attacker managed to obtain more than $610,000 worth of crypto tokens.
Cash, a service for revoking certain crypto transactions - which was affected by the incident - reports losses on the order of $850,000.
According to Gauthier, the attack was addressed within 40 minutes of discovery, the attacker's blockchain address has been identified, and Tether has frozen the attacker's Tether tokens.
Gauthier insists standard practice at Ledger is that no one person can deploy code without a multiparty review.
Yet Ledger's account of the incident - a former employee surrendered credentials to a phishing scheme, allowing a miscreant to gain access to Ledger's NPM account to push through bad code - suggests this was one occasion where company security controls fell short.
According to Rosco Kalis, a software engineer for Revoke.
Cash, Ledger did not have two-factor authentication in place for NPM, which presumably would have prevented the phishing attack from working.
What's more, Kalis claimed Ledger failed to revoke code publication rights for its former employee.
The Ledger leader's reference to the NPM distribution channel glosses over the way in which Connect Kit actually gets distributed.
Kalis pointed out that Ledger distributes Connect Kit through a content delivery network, which means that developers cannot pin the library - limit it to a specific version.
Instead, applications that depend on the library always fetch the latest release, which becomes problematic when the latest release has been hijacked.
Kalis accepted some of the blame by acknowledging that while Ledger should not have published its library in a way that did not support dependency pinning, Revoke.
Cash should have realized Connect Kit's distribution method posed a security risk.
Kalis isn't ready to shoulder the burden of compensating those who have lost funds.
Ledger, based in France, did not immediately respond to a request for comment.
This Cyber News was published on go.theregister.com. Publication date: Sat, 16 Dec 2023 00:43:05 +0000