Ledger CEO Pascal Gauthier recently addressed the community about the recent hack that impacted Ledger and its systems.
Gauthier’s message to the community brought significant relief to users and stakeholders following confirmation that the hack had been neutralized.
Gauthier Addresses Hack
The hack in question involved the injection of malicious code into Ledger’s Javascript library, targeting versions above version 11.4. In his message, Gauthier explained that the exploit in question resulted from a vulnerability that a bad actor took advantage of. The hacker gained access to the system through a phishing attack on a former employee. This allowed them to upload a malicious file to Ledger’s NPMJS, a package manager for Javascript code that is used across multiple applications.
According to Gauthier, when Ledger discovered the hack, its team responded immediately to mitigate its impact. Ledger collaborated with WalletConnect to remove the compromised NPMJS and disable the malicious file. This action was undertaken within an hour of the exploit being identified and highlighted the team’s response and efficiency in dealing with a critical security breach.
An Example Of Collective Strength
Gauthier stressed that Ledger’s response to the hack demonstrated the company’s resolve and was an example of the collective strength within the industry. He highlighted the incident and the response to it as a testament to the ability of the DeFi community to address security challenges effectively. The incident, according to Gauthier, also highlighted the collaborative spirit that is crucial in maintaining integrity and trust in the DeFi ecosystem.
Gauthier also assured users that Ledger’s internal processes prevent any single individual from having the authority to deploy codes on Ledger’s ConnectKit. A multi-party review system has also been implemented to ensure robust security. He also stated that Ledger revokes system access for employees leaving the organization as part of its standard security protocol.
Continuous Improvement In Security Needed
Gauthier also acknowledged that security in the decentralized finance ecosystem is not static and must be improved. He added that Ledger remains committed to implementing stronger security protocols, particularly by connecting their build pipeline. This implements strict software supply chain security to the NPM distribution channel.
Ledger has also introduced a new version of their ConnectKit in response to the recent security breach. The new version, labeled version 1.1.8, directly results from the implications and lessons learned from Ledger’s hacking incident. It also highlights Ledger’s commitment to improving its security. The company has advised users to upgrade to the new version immediately as it introduces enhanced security measures designed to safeguard against similar vulnerabilities.
Once users install the new version of the Ledger Connect Kit, there is a 24-hour waiting period before it becomes fully operational. Ledger has stated that the delay is necessary to ensure all new security protocols are implemented and functioning as intended. Users have been advised to plan their updates accordingly to minimize any potential disruption to their use of Ledger.
The Attack On Ledger
Ledger fell victim to a hack after hackers compromised the code behind a protocol utilized by several Web3 applications and services. Ledger announced on X (formerly Twitter) that hackers had released a malicious version of its Connect Kit. Ledger stated at the time that hackers had replaced the genuine version of its software, and the company was investigating the developments and would provide a comprehensive update.
“The malicious version of the file was replaced with the genuine version at around 2:35 pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready. In the meantime, we’d like to remind the community to always Clear Sign your transactions – remember that the addresses and the information presented on your Ledger screen is the only genuine information.”
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Credit: Source link