The attack was an “unfortunate isolated incident,” according to Ledger CEO.
In response to the “supply chain attack” that affected Ledger ConnectKit, CEO Pascal Gauthier wrote a post on Thursday.
At Ledger, we consider it standard practice to require the approval of multiple reviewers before any individual can deploy code. In most areas of our work, we have implemented robust access restrictions, conducted internal reviews, and used multi-signature code. Likely 99 percent of our internal systems fall under this category.
According to Gauthier, when a staff member quits the organisation, their access to all Ledger systems is immediately disabled.
On Thursday morning, though, things changed when a hacker gained access to Ledger’s package management through a phishing attempt on a former employee. How the worker managed to keep themselves logged into the system is a mystery. Ledger took some time to respond to a comment request seeking clarity.
“This incident was regrettable and happened on an isolated basis,” Gauthier asserted. This incident serves as a timely reminder that security is an evolving concept and that Ledger must work to enhance its security measures at all times. Here at Ledger, we’re putting in place tighter security measures by integrating our build process, which secures the software supply chain, with the NPM distribution route.
Gauthier emphasized that Ledger provides a more secure foundation for building Dapps that support browser-based signing. Messages posted by Ledger’s official X account on Thursday emphasized the need for clear-signing transactions.
The website of Ledger states that “with transparent and clear signing, you are given a transformed version of the original data,” which aids the user in comprehending the content of the signed document.
Decentralized exchange SushiSwap issued a warning about the occurrence on Thursday morning, when it was initially reported. Following the alerts, the exchange warned its customers not to interact with unexpected “Connect Wallet” pop-ups and shut down its front-end web interface.
The cybersecurity company BlockAid claims that Revoke.cash was also affected and that it pulled its front end offline.
Ledger deployed the real ConnectKit “within 40 minutes of discovery” and collaborated with WalletConnect to remove the fraudulent code. An early Thursday timeline from the company indicated that the exploit was live for around five hours.
According to Tether CEO Paolo Ardoino’s statement on X, Tether also blocked the attacker’s address.
In the course of this inquiry, Ledger has cooperated fully with the relevant authorities and is providing whatever assistance we can. “Ledger will assist impacted users in locating and prosecuting this criminal, as well as in following the money and collaborating with authorities to reclaim the hacker’s stolen assets,” Gauthier said.