Cyber Defense Advisors

Crypto Hardware Wallet Ledger’s Supply Chain Breach Results in $600,000 Theft

Crypto hardware wallet maker Ledger published a new version of its “@ledgerhq/connect-kit” npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets.

The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement.

This allowed the attackers to gain access to Ledger’s npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach.

UPCOMING WEBINAR

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

“The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,” Ledger said.

Connect Kit, as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger’s hardware wallets.

According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining payload to execute unauthorized transactions in order to transfer digital assets to an actor-controlled wallet.

Versions 1.1.5 and 1.1.6, while lacking an embedded drainer, were modified to download a secondary npm package, identified as 2e6d5f64604be31, which acts as a crypto drainer. The module is still available for download as of writing.

“Once installed into your software, the malware presents the users with a fake modal prompt that invites them to connect wallets,” Sonatype researcher Ilkka Turunen said. “Once the users click through this modal, the malware begins draining funds from the connected wallets.”

The malicious file is estimated to have been live for around five hours, although the active exploitation window during which the funds were drained was limited to a period of less than two hours.

Ledger has since removed all three malicious versions of Connect Kit from npm and published 1.1.8 to mitigate the issue. It has also reported the threat actor’s wallet addresses and noted that stablecoin issuer Tether has frozen the stolen funds.

If anything, the development underscores the continued targeting of open-source ecosystems, with software registries such as PyPI and npm increasingly used as vectors for installing malware through supply chain attacks.

“The specific targeting of cryptocurrency assets demonstrates the evolving tactics of cybercriminals to achieve significant financial gains within the space of hours, directly monetising their malware,” Turunen noted.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.