Ledger Crypto Wallets Compromised by Supply Chain Attack, Users Lose Over $600K
-
Cryptocurrency wallet maker Ledger had malicious code inserted into its JavaScript library that stole over $600K from users' wallets.
-
The attack affected Ledger's Connect Kit library used by many crypto projects, with losses estimated around $850K over 2 hours before it was addressed.
-
A former employee was phished, allowing the attacker access to insert the malicious "crypto drainer" code undetected into Ledger's NPM account.
-
Ledger admits security practices around code deployment failed here, lacking 2FA on its NPM and failing to revoke publishing rights for the ex-employee.
-
Victims are seeking reimbursement from Ledger, but the company has not indicated if/how they will compensate for the exploit.