Ledger CEO on Hacking Incident, “The Threat Has Passed”

In light of the recent Ledger Hacking, the Decentralized Finance (DeFi) protocol’s Chairman and CEO, Pascal Gauthier has issued a new update.

Ledger Hacking Acknowledged and Explained

He started by acknowledging the recent exploit which involved the injection of malicious code into the Javascript library. It affected mostly versions greater than 1.1.4, that is, versions 1.1.5, 1.1.6, and 1.1.7.  Furthermore, he explained that the hack was as a result of a loophole exploited by the bad actor. 

A former employee fell victim to a phishing attack that eventually provided a bad actor with access to upload a malicious file to Ledger’s NPMJS. This NPMJS is a package manager for Javascript code shared between apps. Ledger swung into action immediately to salvage the situation with support from WalletConnect, its partner. At once, the NPMJS was removed and the malicious file was immediately disabled.

All these happened within forty minutes of the exploit’s discovery. Gauthier highlighted the alliance as a good reference of the industry working swiftly together to tackle security challenges that plagues the ecosystem. 

Hacker Exploit Scare is Over

Ordinarily, no single person has the sole power to deploy codes on Ledger’s ConnectKit as he would require that some other parties review the transaction. At the same time, Gauthier clarified that every employee who leaves the company at any time and for whatever reasons, always has their access to the Ledger systems revoked at once. 

Prior to exiting the company, employees are granted access to controls, internal reviews, and multi-signature code especially, as it has to do with most parts of Ledger’s development. This is prevalent in 90% of the firm’s development. Gauthier suggested that the DeFi protocol had previously imbibed security strategies to protect investors. 

However, the latest attack is a clear proof and reminder that security is not static. Therefore, “Ledger must continuously improve our security systems and processes. In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”

A new version of the Ledger Connect Kit has been introduced and users who intend to keep utilizing the tool, are advised to upgrade to this version. Once Ledger Connect Kit version 1.1.8 is installed, users may have to wait for up to 24 hours before activating. So far, it’s looking good plus Gauthier has assured users that the situation is now under control and “the threat has passed.”