Reddit Posts
Update: Ledger NPM Hack (14th Dec 2023)
Mentions
Yep. It was via a compromised NPM module. NPM is so popular. https://securityaffairs.com/156029/hacking/ledger-supply-chain-attack.html A former employee's account got phished and taken over.
I had forgotten about the ledger incident. Am I remembering correctly that it was an attack via NPM? People in the infosec community have been *very* uneasy about this style of package manager ever since Node and NPM popularized it. It's surprising that we don't see more attacks of this type.
This won't the last of these library packages supply chain attacks. Programmers are a very trusting lot. Even in the cryptocurrency space, many of them see no particular issue with blindly trusting, in perpetuity, the authors of their dependencies. Some languages and runtimes foster this culture of misplaced trust worse than others. They provide tools which allow for rapid development and prototyping, at the cost of blindly running a bunch of code from nebulous sources and sometimes anonymous authors. Any software ecosystem that handles library dependencies in this way is prone to this attack vector. In this case it was PyPI. NPM and the Node.js ecosystem also come to mind. This is a good example of one of the oldest conflicts in infosec: programmers trying to build things quickly, vs sensible security policies. These two interests always seem to clash.
Hey Reddit, I'm excited to share the launch of \[BitEscrow\](https://bitescrow.app/), a non-custodial Bitcoin escrow service designed to revolutionize Bitcoin transactions with enhanced security, speed, and affordability. Here’s what we're announcing: \*\*1. Developer Playground\*\* - Experiment with our API in a safe, controlled environment. - Support for all test chains. \*\*2. Brand-New Website\*\* - Discover our improved user experience and comprehensive resources. - Features include a Developer Page, Branding Guide, Press Kit, Open Source Analytics, and extensive documentation. \*\*3. Developer Tools\*\* - Our API, SDKs, NPM libraries, and test suite are now available. - Built from scratch using Typescript, providing the tools you need for any project. \*\*Key Features:\*\* - Non-custodial security 🔐 - 187x faster transactions ⏱️ - 1/5th the cost 🤑 - Zero paperwork 🪄 We’re setting a new standard for escrow services, making Bitcoin transactions safer and more versatile. Check out our new website and Developer Playground at \[BitEscrow.app\](https://bitescrow.app/). Looking forward to your feedback and seeing what amazing projects you'll build with BitEscrow!
I was joking that "*the* malicious code" doesn't say much because there were so many. I assumed you meant this one (the xz backdoor) because it's the most recent majorly reported one that was clearly a backdoor, but backdoored packages are found every few months. Here are just a few random ones I found: [Python](https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-toolkit/), [Python](https://arstechnica.com/security/2023/11/developers-targeted-with-malware-that-monitors-their-every-move/), [VSFTPD](https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=33416), [NPM](https://www.theregister.com/2022/05/12/npm-attacks-code-white-jfrog/) but "npm package used by <huge number> of dependencies backdoored" has become a meme in the IT security community. And that's just the ones clearly identified as backdoors. Many of the security bugs could have also been introduced intentionally as a backdoor. https://en.wikipedia.org/wiki/Log4Shell was particularly hilarious for many reasons: * It existed for a very long time * It was enabled by creative chaining of features that individually all seemed harmless and useful, i.e. a logic bug and not some random memory corruption. * The handling of it, once discovered, was pretty bad. * It was trivial to exploit and gave the attacker remote code execution (considered the highest level of impact/access). * Once it started to become publicly known, but before the security community really responded in force, it was *widely* exploited not by nation-state actors or criminal hacker groups, but... *kids hacking each other's Minecraft servers*. (I'm not joking, some of the more creative attack variants were first discovered in Minecraft, and while some targeted attempts happened earlier, really wide-scale exploitation was first seen against Minecraft).
Wallets have been hacked, especially in the early days with not-random entropy generators, and more recently with not-random signature nonces A malicious coder took over a minor NPM repository which had been abandoned by its developer. As a minor dependency for several javascript Bitcoin wallet apps, it was an opportunity to exfiltrate Bitcoin keys from users' wallets. And it was open source In 2010, someone defeated the controlled supply mechanism with a transaction that made billions of extra Bitcoin > that original wallet, the first one with millions in it, that was open in 2009 No such thing. Please stop repeating this myth
Sounds to me like they are blindly pulling dependencies from NPM and trusting that upstream maintainers are not malicious or compromised. In other words, the software is at least partly open source, it seems the former employee is maintaining an upstream dependency.
I can at least give some quick definitions to start to shed light: - CDN: “Content Delivery Network” - NPM: “Node Package Manager” - - in this context, NPM is an example of a CDN (NPM is a CDN, but not the other way around)
To get started I guess I have to find a five year old and ask what "CDN named NPM" means.
Recently (maybe after this comment) it was disclosed that the attack started through a ledger employee with the account `@CET` on NPM. Though I agree that any publishing task that `@CET` had authority on was a risk, I'm not seeing that this user published any other packages recently. Is there another reason why this risk isn't contained to the packages `@CET` maintained
I disagree. The Dec 14th exploit effected all wallets that used un-frozen NPM packages that user `@CET` had NPM publishing rights to. There is no indication that `@CET` has publishing privledges on dependencies any other wallets like coldcard. My feel is that this is a Ledger only problem, since those where the only dependencies hit, and there is no indication that other HW wallet makers are as carefree with rolling releases of dependencies or retention of credentials.
how is it possible to believe this, when a compromised ex-employee account was able to update such a critical library on NPM? they most probably had no relevant security in place. *The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems.*
The attack was launched on CDN `jsdelivr.net`. No word if multiple CDNs were attacked, or if multiple packages on those CDNs were attacked. Too many unknowns. As the tweet suggests, crypto wallets really need to using version locking / freezing to get out of these type of NPM leftpad issues.
Working theory is that somebody hacked `jsdelivr.net` and replaced `@ledgerhq/connect-kit` v1.1.4 with bogus versions (.5 to .7). The bad versions don't show up on NPM so it seems dependent upon what CDN was used. No word from admins at `jsdelivr` as to how this happened. https://github.com/LedgerHQ/connect-kit/issues/29 For app developers, remember to freeze known good upstreams where possible over using rolling releases. Tons more maintence, but tons safer too.
> Please explain this to me like a 5 year old - Ledger compromised Ledger published their code to what is called a CDN named NPM. Attacking a CDN is, unfortunately, getting rather common. Attack goes like this: 1. Ledger makes code on github 2. Ledger builds code and publishes the binary to a CDN 3. Others include the binary from CDN because it's better bandwidth than github 4. Attacker hacks CDN and sends a fake "upgrade" to the binary 5. Others including the binary fail to put a version number on the include 6. Those failing to include the version, get the malware To avoid this, wallet developers (Ledger included) need to perform what's called "freezes" where they lock the version of code tested so that "upstream" updates don't trickle into their apps. It was extreamly easy to spot since the last version of the package on github was 1.1.4 yet the CDN rolled to 1.1.5, 1.1.6, and 1.1.7. That's a huge red flag and should have been (and was) caught by any developer auditing dependencies.
Ledger NPM hack details: https://github.com/LedgerHQ/connect-kit/issues/29
Over the years malicious backdoors have been inserted into bitcoin wallets like [bitpay/copay](https://finance.yahoo.com/news/bitpay-copay-wallet-compromised-malicious-120900206.html), and more recently into Specter by NPM dependencies. I have been dice rolling my mnemonic seeds since Coldcard Mk1