14. December 2023
Ledger's NPM Account Hacked: Lessons Learned
In recent news, it has come to light that Ledger, the hardware wallet manufacturer, has experienced a security breach involving its NPM account. This incident has raised concerns about supply chain attacks and the importance of code signing and secure development practices. Let’s dive into some key insights and lessons learned from user comments on this topic.
Negligence in Code Signing Support by NPM
One user, @lrvick, shared their frustration with NPM’s reluctance to support optional signing, stating that the NPM team believes no signing at all is better than pressuring developers to sign. They highlighted the importance of code signing for securing the software supply chain. While PGP (Pretty Good Privacy) is widely used for signing in various domains, including Linux distributions, NPM has refused to accept community-contributed signing support, promising to introduce a better solution that has yet to materialize.
Challenges with NPM’s Approach to Security
Another user, @rkeene2, pointed out a previous issue with NPM causing the integrity field to go missing in package-lock.json files during installation, leading to potential security vulnerabilities. These concerns highlight the challenges that arise when relying on a centralized package manager and the need for robust security measures.
NPM Provenance as a Step Towards Code Signing
Addressing the criticism, user @feross clarified that NPM did introduce a form of code signing called “NPM provenance” in April 2023. They shared a deep dive on the feature, explaining how developers can sign their NPM packages. While this is a step forward, @lrvick challenged the centralized nature of this solution compared to the decentralized approach of PGP signing keys. They emphasized the need for a secure and accountable infrastructure for signing, rather than relying on third-party services.
The Success of PGP Signing in Other Ecosystems
Bringing insight from other ecosystems, @lrvick highlighted how Debian and Arch successfully use PGP signing for NPM packages, emphasizing low supply chain attack rates compared to NPM. They advocated for PGP as the default recommendation for developers and the ability for end users to set policies for installing only trusted and signed packages.
The Impressive Web of Trust in Debian
User @matheusmoreira praised the web of trust implemented in Debian, where developers must provide an OpenPGP key signed by existing project members to join the project. This process adds an additional layer of security by validating and verifying the identities of developers.
The Role of Transaction Signing in Ethereum
The discussion expanded to the role of transaction signing in Ethereum. User @woah raised concerns about blind signing, which is the default behavior when using Ethereum with devices like Ledger wallets. They criticized the lack of human-readable transaction information and emphasized the need for users to view and understand the transactions they are signing to prevent phishing attacks. This highlights the importance of Ethereum and wallet developers ensuring that signing blobs are easily readable and understandable by users.
Socket’s Contribution to Supply Chain Security
The conversation also highlighted the work of Socket, an AI-powered scanner for detecting and blocking supply chain attacks. User @feross, one of the developers behind Socket, shared that their platform successfully detected the compromised package in the Ledger incident. Socket’s approach involves static analysis combined with an LLM (Language Model Mart) to detect novel attacks that evade traditional scanning tools. They also mentioned plans to write a blog post explaining the workings of their static analysis engine.
Request for JSON/SSE Malware List
User @stevelacy inquired about consuming Socket’s malware list as JSON/SSE (Server-Sent Events) format for easier integration. @feross confirmed that this is possible and provided contact information.
Learning from the Incident at Ledger
While this unfortunate incident at Ledger highlights the vulnerabilities in the software supply chain, it also sheds light on the importance of code signing, secure development practices, and user awareness when signing transactions. The community can learn from this incident and work towards more robust and decentralized solutions to bolster security in the software ecosystem.