10 sats \ 3 replies \ @ladyluck 14 Dec 2023 \ on: We have identified and removed a malicious version of the Ledger Connect Kit bitcoin
Was the malicious version inserted in the kit by an employer?
write
preview
31 sats \ 2 replies \ @nerd2ninja 14 Dec 2023
Insider threat babyyyyy
Or ledger the company got hacked somewhere that allowed the attacker to push this malicious update. Hard to know without ledger (or the attacker lel) telling us.
reply
0 sats \ 1 reply \ @0xbitcoiner OP 14 Dec 2023
If it's an inside job, it's very bad. Basically everything could be compromised.
Shouldn't the commits be multi-keyed?
edit: multisig
reply
70 sats \ 0 replies \ @nerd2ninja 14 Dec 2023
I don't know how ledger runs their business, but I got a screenshot of a tweet from another chat (twitter user @MatthewLilley) which says
  1. They are loading JS from a CDN
  2. They are not version locking loaded JS
  3. They had their CDN compromised
reply