Three Lessons from the Ledger Connect Kit Supply Chain Attack

user profile
Head of Security Research

Lesson 1: Package and Code Integrity Is Paramount

The Ledger Connect Kit attack relied on unauthorized access to Node Package Manager (NPM) pushing malicious packages. The standard procedure for pushing packages into package managers include several security gateways that verify the authenticity and integrity of the code. These include:

  • Code repositories with branch protection settings that prevent users from pushing code directly to the main branch
  • Having multiple reviewers reduces the risk of one maintainer pushing malicious code
  • Performing security scans for vulnerabilities and open-source dependencies
  • Using a secure build system and secure access methods for package deployment

The Ledger compromise involved obtaining NPM credentials from a former employee, bypassing all of the above.

When questioning how an attack like this could be mitigated, SLSA (Supply-chain Levels for Software Artifacts) and SSDF (Secure Software Development Framework) by NIST address this problem specifically.

The SLSA standard promotes artifact integrity by attaching a provenance document to every artifact. The provenance document describes when and how something was built so it can be traced back to the source.

Several emerging tools ​​can determine the generation and verification of SLSA provenance. The ecosystem recently added support for attaching provenance documents directly to packages created in GitHub Actions and GitLab CI. There is still a lack of verification tools, but this only emphasizes the need for a unified platform to help with the organization’s overall posture, including the integrity of its artifacts.

Lesson 2: SDLC Security Matters, Especially for Billion-Dollar Companies

Ledger boasts a multi-million dollar business yet fell victim to this attack. It is a stark reminder that robust software development lifecycle (SDLC) security controls are essential for all organizations, regardless of size or revenue. This includes managing access to all sensitive assets within the development pipeline, enforcing strong authorization policies and least privilege, hardening pipeline integrity, and additional controls that prevent malicious actors from infiltrating the software supply chain.

In addition to the direct financial loss, such attacks damage users’ trust, which can be far greater than the direct financial loss.

Lesson 3: Don’t Stop at SCA – Embrace ASPM

While Software Composition Analysis (SCA) tools played a role in identifying the specific version of the Ledger Connect Kit package by determining whether the project was using the malicious version, they were insufficient in detecting the attack and determining the malicious intent of the package. As part of an Application Security Posture Management (ASPM) approach, SCA can be integrated with tools such as secrets scanners to detect leaked tokens, CI/CD security solutions to prevent code tampering, build hardening to monitor builds, and pipeline integrity solutions such as SSDF and SLSA to provide a multilayered defense against sophisticated threats.

Summary and Call to Action

The Ledger Connect Kit compromise is a wake-up call for every organization handling software development and delivery. Organizations can significantly reduce the risk of becoming the next victim in a similar attack by prioritizing package and code integrity, investing in robust SDLC security, and adopting a comprehensive ASPM strategy. Don’t wait for a crisis to strike. Take proactive steps to secure your software supply chain and safeguard your users’ trust.

How Cycode Helps with SDLC Security

Cycode’s security-first, developer-friendly AppSec platform provides visibility, prioritization, and remediation for security, engineering, and DevOps teams throughout the software development lifecycle.

By offering a single, unified ASPM platform that consolidates SAST, SCA, IaC scanning, pipeline security, secrets scanning, and code leak detection, Cycode gives security teams and developers peace of mind. In addition to our own suite of scanning tools, we can ingest data from third-party scanners to give you a full view of your application risk.

Learn more about ASPM, including hardcoded secrets detection, CI/CD security, and source code leakage detection now, or book a demo to see the platform in action.

Originally published: December 18, 2023