In a notable security incident, unidentified malicious actors targeted Ledger, a widely-used hardware wallet provider, with the intention of exploiting their LedgerConnect kit. The attack was initially reported by Blockaid, a platform dedicated to safeguarding Web3 users. Over $480,000 worth of assets were reportedly pilfered before Ledger rectified the vulnerability.
Another hack
The assault, focused on Ledger Connector, took place on December 14th. The attackers successfully inserted a wallet-draining payload into the NPM package. Once the payload spread, assailants took control of the front end of various applications, such as Sushi, Hey, and Zapper, causing disruptions and allegedly absconding with assets valued in the hundreds of thousands of dollars.
The attack did not specifically target any particular decentralized application or blockchain, like Solana or Ethereum, rather, the hackers sought to exploit all protocols whose users utilized the LedgerConnect kit for asset management or transfers. To comprehend the execution of the hack, the hackers specifically directed their efforts toward the Ledger NPM. This connector plays a crucial role in facilitating secure online connection and management of assets for typically off-chain Ledger wallet clients.
Time for damage control
NPM, in addition to providing a gateway to wallets, also serves as an interface. Through this interface, developers can integrate Ledger hardware wallets into applications, enabling Ledger users to securely participate in NFTs, DeFi, and other activities. Given that this attack aimed at exploiting a vital Ledger infrastructure capable of affecting all protocols irrespective of blockchain, analysts now categorize it as a supply chain attack. In DeFi protocol supply chain attacks, hackers target trusted service providers, primarily wallet providers or exchanges, to pilfer funds.
Responding to the incident, Ledger acknowledged that a script infected with malware was uploaded to the NPM register at 9:44 AM UTC. However, Ledger promptly took action, stating that they deleted the malicious file and replaced it with a genuine version approximately four hours after the malicious upload, around 1:35 PM UTC.