pull down to refresh

Insider threat babyyyyy
Or ledger the company got hacked somewhere that allowed the attacker to push this malicious update. Hard to know without ledger (or the attacker lel) telling us.
If it's an inside job, it's very bad. Basically everything could be compromised.
Shouldn't the commits be multi-keyed?
edit: multisig
reply
I don't know how ledger runs their business, but I got a screenshot of a tweet from another chat (twitter user @MatthewLilley) which says
  1. They are loading JS from a CDN
  2. They are not version locking loaded JS
  3. They had their CDN compromised
reply