SBN

Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack

Earlier today, Ledger, a maker of hardware wallets for storing crypto, announced that they had identified malicious software embedded in one of their open source packages called @ledgerhq/connect-kit. This package is widely used as a connector between distributed blockchain applications and crypto wallets that back them up. This analysis delves into the specifics of the versions 1.1.5 to 1.1.7 compromise, cataloged in our data under sonatype-2023-4890.

Sonatype customers using Sonatype Repository Firewall and Sonatype Lifecycle are protected from this issue. Sonatype security research conducted a deep dive analysis into the issue as it surfaced.

Ledger have since published a complete timeline of the issue on their Twitter account.

Overview of the incident

The compromised versions of @ledgerhq/connect-kit are 1.1.5, 1.1.6, and 1.1.7. These versions are embedded in numerous crypto applications, from Ledger’s own connect-kit-loader to others like Revoke.cash. A critical aspect of this attack is the extensive dependency chain affected. The connect-kit-loader package is a dependency for over 20,454 GitHub repositories, indicating a broad attack surface.

https://twitter.com/Ledger/status/1735291427100455293

Details of the compromise

An employee of Ledger fell victim to a phishing attack. Attackers gained access to Ledger’s npm account where the packages are distributed. The attackers published malicious versions of the connector kit using the compromised credentials and managed to propagate the drainer malware to dependent applications using this method.

Malware analysis

Version 1.1.7: This version directly embeds a crypto drainer, a type of malware that executes unauthorized cryptocurrency transactions to transfer assets to attacker-controlled wallets.

Versions 1.1.5 and 1.1.6: These versions are more insidious. They lack an embedded drainer but instead download a secondary npm package, identified as 2e6d5f64604be31, which acts as a crypto drainer.

Once installed into your software, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ilkka Turunen. Read the original post at: https://blog.sonatype.com/decrypting-the-ledger-connect-kit-compromise-a-deep-dive-into-the-crypto-drainer-attack