The wallet company confirmed that this week’s exploit was an unfortunate isolated incident, after which Ledger launched Connect Kit version 1.1.8 on December 14th, deactivating malicious code in Ledger and WalletConnect. Users are now protected, but as an extra precaution, it is recommended to wait for 24 hours and clear the browser cache.
Ledger’s Chairman and CEO, Pascal Gauthier, disclosed that the security breach occurred when a former staff member fell prey to a phishing attack.
- This enabled a malicious actor to upload a harmful file to Ledger’s NPMJS, a JavaScript code package manager shared across applications.
- Collaborating with partner WalletConnect, Ledger swiftly responded to the incident, managing to eliminate and deactivate the malicious code on NPMJS within 40 minutes of its discovery.
- In an update, Gauthier revealed that the standard practice at the Paris-based crypto hardware wallet platform is that no single person can deploy code without review by multiple parties. He admitted having strong access controls, internal reviews, and code multi-signatures when it comes to most parts of its development.
- Furthermore, when an employee departs from the company, their access to all Ledger systems is promptly revoked.
“This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes. In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”
- Ledger said that it is actively cooperating with authorities and assured that it will continue to assist in the ongoing investigation.
- The platform said that it will continue to work with affected users, collaborate to identify the responsible party, ensure legal consequences, trace the funds, and cooperate with law enforcement to facilitate the recovery of stolen assets from the hacker.
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
Source: https://cryptopotato.com/ledger-addresses-security-breach-confirms-isolated-incident/