Phishing Attack Led to Supply Chain Compromise, $600K Theft at Ledger

$80m pig butchering scam disrupted, Google change could limit access to location data, Security engineer pleads guilty to high-profile hacks, Ubiquiti flaw allowed users to see others, much more

Photo by rc.xyz NFT gallery on Unsplash

Crypto wallet manufacturer Ledger confirmed an exploit that led it to warn users to “stop using dapps” started because a former employee fell for a phishing scam, with the attacker stealing at least $600,000 from multiple Web3 apps.

The former employee’s name and email address showed up in the compromised code. Initially, the crypto community took it to mean that the developer himself was responsible for the exploit, but Ledger later confirmed the attack began because “a former Ledger employee fell victim to a phishing attack.”

The attacker was able to gain access to the former employee’s NPMJS account, a package manager for the JavaScript programming language. Packages are libraries that developers can use to build projects rather than coding everything fr…