Charles Guillemet, the CTO of Ledger, has made a statement regarding a recent unsuccessful attack on the NPM platform, affecting popular software.
Overview of the Attack
Guillemet stated that the attack was unsuccessful and 'virtually no victims were affected.' He explained that the attack began with a phishing email sent from a fake npm support domain, which allowed the attackers to steal developer credentials and release malicious package updates.
Targets and Consequences
The malicious code targeted web cryptocurrency activity, attempting to interfere with transactions on Ethereum, Solana, and other chains. Specifically, it attempted to steal user funds by directly manipulating wallet addresses in network responses. However, the attack was detected early and its impact was limited when errors caused crashes in CI/CD processes.
Security Warning
Guillemet pointed out that assets held in software wallets and exchanges are at great risk and issued the following warning: 'If your funds are sitting in a software wallet or exchange, you can lose everything with a single code execution. Supply chain attacks continue to be a powerful malware spreading method.'
The Ledger CTO reminded that hardware wallets are safer against such threats and argued that security features such as Clear Signing and Transaction Checks show the user suspicious activities.
Charles Guillemet's statement emphasizes the importance of reliable cryptocurrency storage methods and a thoughtful approach to security in the face of increasing threats from hackers.
