Crypto wallet Ledger supply chain vulnerability led to the theft of $600,000 in virtual assets

A supply chain attack on crypto hardware wallet manufacturer Ledger resulted in the theft of $600,000 in crypto assets. The attacker obtained Ledger's npm account through a phishing attack on a resigned employee, and uploaded a malicious version of the Connect Kit module. These malicious versions spread cryptocurrency-stealing malware to other applications that rely on the module, creating software supply chain vulnerabilities.

Crypto hardware wallet manufacturers Ledger A new version containing malicious code was released in its "@ledgerhq/connect-kit" npm module, resulting in the theft of over $600,000 in virtual assets.

The company said in a statement that the vulnerability originated from a phishing attack by a resigned employee, which allowed the attacker to access Ledger's npm account and upload three malicious versions (1.1.5, 1.1.6 and 1.1.7 ). These malicious versions steal cryptocurrencymalicious softwareSpreads to other applications that rely on this module, causing software supply chain vulnerabilities.

Ledger said: "The malicious code exploited a fake WalletConnect project to transfer funds tohackerwallet. "

Connect Kit, as its name suggests, can connect decentralized applications (DApps) to Ledger's hardware wallet.

Security firm Sonatype said version 1.1.7 directly embeds a wallet-stealing payload that is used to perform unauthorized transactions and transfer digital assets to attacker-controlled wallets.

Versions 1.1.5 and 1.1.6, while not having an embedded stealer, were modified to download a secondary npm package named 2e6d5f64604be31, which also acts as a cryptocurrency stealer. As of press time, the module is still available for download.

Crypto wallet Ledger supply chain vulnerability led to the theft of $600,000 in virtual assets

Sonatype researcher Ilkka Turunen said: “Once installed into your software, the malware displays a fake modal prompt to the user, inviting them to connect a wallet. Once the user clicks on the modal, the malware starts stealing from the connected wallet. funds."

It is estimated that the malicious file ran for approximately five hours, but the window of activity during which the funds were actually stolen was less than two hours.

Ledger has removed all three malicious Connect Kit versions from npm and released version 1.1.8 to mitigate the issues. The company also reported the attacker’s wallet address and noted that stablecoin issuer Tether had frozen the stolen funds.

The incident highlights the ongoing attacks on the open source ecosystem, with software registries like PyPI and npm increasingly being used to install malware through supply chain attacks.

Turunen noted: “This incident specifically targeted cryptocurrency assets and demonstrates the evolving strategies cybercriminals are employing to realize large financial gains within hours, directly monetizing malware.”

Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/crypto-wallet-supply-chain-attack-leads-to-asset-theft.html

Like (0)
Previous December 14, 2023 10:04 pm
Next December 16, 2023 12:30 pm

related suggestion