- Ledger’s Javascript connector library was hacked for less than two hours after a former employee’s credentials were phished. The hacker deployed malicious code without proper review.
- The hack was limited in scope and duration, not affecting Ledger hardware or Live platform. CEO Pascal Gauthier called it an “isolated incident.”
- In response, Ledger is implementing stronger controls over its build pipeline and NPM distribution. Ledger Connect Kit 1.1.8 is now safe to use again. Users are reminded to be vigilant against phishing.
On December 14th, Ledger’s Javascript connector library was hacked in what CEO Pascal Gauthier has called an “isolated incident”. The exploit was limited in scope and duration, but has raised concerns over security practices at the hardware wallet provider.
Details of the Hack
The hack ran for less than two hours before being deactivated. It was made possible when a former employee fell victim to a phishing attack, leaving their credentials exposed. The hacker was able to deploy malicious code without proper review. No Ledger hardware or the Ledger Live platform were affected.
Response from Ledger
Gauthier promised to implement stronger controls over Ledger‘s build pipeline and NPM distribution channel. He thanked several security researchers and companies for their assistance in identifying and resolving the issue. The hack could potentially affect any EVM user that interacted with the affected DApps.
Looking Ahead
While describing the event as “unfortunate,” Gauthier reiterated that it was an isolated incident. Ledger Connect Kit 1.1.8 is now safe to use again. The company is working with law enforcement to identify the hacker and bring them to justice. Users are reminded to remain vigilant against potential phishing attempts targeting their Ledger credentials.
