Crypto hardware wallet manufacturers Ledger A new version containing malicious code was released in its "@ledgerhq/connect-kit" npm module, resulting in the theft of over $600,000 in virtual assets.
The company said in a statement that the vulnerability originated from a phishing attack by a resigned employee, which allowed the attacker to access Ledger's npm account and upload three malicious versions (1.1.5, 1.1.6 and 1.1.7 ). These malicious versions steal cryptocurrencymalicious softwareSpreads to other applications that rely on this module, causing software supply chain vulnerabilities.
Ledger said: "The malicious code exploited a fake WalletConnect project to transfer funds tohackerwallet. "
Connect Kit, as its name suggests, can connect decentralized applications (DApps) to Ledger's hardware wallet.
Security firm Sonatype said version 1.1.7 directly embeds a wallet-stealing payload that is used to perform unauthorized transactions and transfer digital assets to attacker-controlled wallets.
Versions 1.1.5 and 1.1.6, while not having an embedded stealer, were modified to download a secondary npm package named 2e6d5f64604be31, which also acts as a cryptocurrency stealer. As of press time, the module is still available for download.
Sonatype researcher Ilkka Turunen said: “Once installed into your software, the malware displays a fake modal prompt to the user, inviting them to connect a wallet. Once the user clicks on the modal, the malware starts stealing from the connected wallet. funds."
It is estimated that the malicious file ran for approximately five hours, but the window of activity during which the funds were actually stolen was less than two hours.
Ledger has removed all three malicious Connect Kit versions from npm and released version 1.1.8 to mitigate the issues. The company also reported the attacker’s wallet address and noted that stablecoin issuer Tether had frozen the stolen funds.
The incident highlights the ongoing attacks on the open source ecosystem, with software registries like PyPI and npm increasingly being used to install malware through supply chain attacks.
Turunen noted: “This incident specifically targeted cryptocurrency assets and demonstrates the evolving strategies cybercriminals are employing to realize large financial gains within hours, directly monetizing malware.”
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/crypto-wallet-supply-chain-attack-leads-to-asset-theft.html
