Background Today’s security breach at Ledger, a leader in cryptocurrency hardware wallets, has raised significant alarms in the digital assets community. The breach was facilitated through a spear phishing attack on a former employee. Apparently, the goal of the phishing attempt was exfiltration of Ledger’s npmjs publishing credentials,| Phylum Research | Software Supply Chain Security
On October 30, 2023 Phylum’s automated risk detection platform alerted us to a strange publication to npm called puma-com. Upon investigation, we found a very convoluted attack chain that ultimately pulled a remote file, manipulated it in place, called an exported function from that file, and then meticulously covered| Phylum Research | Software Supply Chain Security