According to Blockworks, Ledger CEO Pascal Gauthier addressed the supply chain attack on its Ledger ConnectKit in a post on Thursday. Gauthier stated that the standard practice at Ledger involves no single person being able to deploy code without review by multiple parties, and that strong access controls, internal reviews, and multi-signature code are in place for most parts of their development. However, this was not the case on Thursday morning when a former employee was the subject of a phishing attack, giving the hacker access to Ledger's package manager. It remains unclear how the employee maintained access to the system.
Gauthier called the incident an unfortunate isolated event and emphasized the need for continuous improvement in security systems and processes. Ledger plans to implement stronger security controls, connecting their build pipeline to the NPM distribution channel for stricter software supply chain security. Additionally, Ledger will increase security around dapps that enable browser-based signing.
The incident was first reported on Thursday morning by decentralized exchange SushiSwap, which took its front-end web app offline after the warnings and advised users to avoid engaging with unexpected 'Connect Wallet' pop-ups. Revoke.cash was also impacted, according to cybersecurity firm BlockAid. Ledger deployed the genuine ConnectKit and worked with WalletConnect to take down the malicious code within 40 minutes of discovery. The exploit was active for approximately 5 hours.
Tether CEO Paolo Ardoino posted that the attacker's address was frozen. Gauthier stated that Ledger is working with authorities and doing everything possible to help with the investigation, supporting affected users in finding the bad actor, bringing them to justice, tracking the funds, and working with law enforcement to recover stolen assets from the hacker.
Cointelegraph