ExchangeDEX+

Buy Crypto Markets Spot Futures500X Earn Events

Gold Bar & BTC Giveaway2000g

This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like…Continue reading on Coinmonks »This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like…Continue reading on Coinmonks »

When Software Fails: The Ledger Live Supply-Chain Compromise

Author: Medium

Source: Medium

2025/09/10 21:29

LIKE$0.004503+14.69%

LIVE$0.00005364-6.20%

WHY$0.00000001529+0.13%

This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like Coldcard and Sparrow avoid this risk.

Michael P. Di Fulvio

6 min read

Just now

Abstract

In December 2023, Ledger Live—the software companion to Ledger hardware wallets—was compromised through a poisoned NPM dependency, allowing attackers to silently replace recipient Bitcoin addresses during transaction construction. Nearly $1 million in assets was stolen before the issue was patched. While the Bitcoin protocol and Ledger devices remained uncompromised, the attack revealed the fragility of modern dependency chains and the risks of user complacency during address verification. As of 2025, the stolen funds remain scattered across the blockchain, and the lessons remain urgent: supply-chain vulnerabilities are an ongoing threat, and hardware wallet screens—not application interfaces—must be treated as the final source of truth.

Introduction

In late 2023, Ledger Live—the companion application for Ledger hardware wallets—became the focal point of a supply-chain attack. The incident did not compromise Bitcoin itself, nor the Ledger…

Market Opportunity

Wink Price(LIKE)

$0.004503

$0.004503$0.004503

+14.40%

USD

Wink (LIKE) Live Price Chart

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.