Crypto hardware wallet maker Ledger published a new version of its "@ledgerhq/connect-kit" npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets.
The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement.
This allowed the attackers to gain access to Ledger's npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach.
"The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Ledger said.
Connect Kit, as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger's hardware wallets.
According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining payload to execute unauthorized transactions in order to transfer digital assets to an actor-controlled wallet.
Versions 1.1.5 and 1.1.6, while lacking an embedded drainer, were modified to download a secondary npm package, identified as 2e6d5f64604be31, which acted as a crypto drainer. The module is still available for download as of writing.
"Once installed into your software, the malware presents the users with a fake modal prompt that invites them to connect wallets," Sonatype researcher Ilkka Turunen said. "Once the users click through this modal, the malware begins draining funds from the connected wallets."
The malicious file is estimated to have been live for around five hours, although the active exploitation window during which the funds were drained was limited to a period of less than two hours.
Revoke.cash, which was one of the companies affected by the incident, said Ledger lacked two-factor authentication (2FA) protections for its deployment systems, thereby allowing an attacker to use the developer's compromised account to publish a malicious version of the software.
Ledger has since removed all three malicious versions of Connect Kit from npm and published 1.1.8 to mitigate the issue. It has also reported the threat actor's wallet addresses and noted that stablecoin issuer Tether has frozen the stolen funds.
If anything, the development underscores the continued targeting of open-source ecosystems, with software registries such as PyPI and npm increasingly used as vectors for installing malware through supply chain attacks.
"The specific targeting of cryptocurrency assets demonstrates the evolving tactics of cybercriminals to achieve significant financial gains within the space of hours, directly monetising their malware," Turunen noted.
Update
The fraudulent npm module in question, 2e6d5f64604be31, has now been removed from the package repository by its security team for containing "malicious code."