This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like…Continue reading on Coinmonks »This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like…Continue reading on Coinmonks »
When Software Fails: The Ledger Live Supply-Chain Compromise
This article explains how a poisoned NPM package led to stolen Bitcoin, why the protocol remained secure, and why Bitcoin-only tools like Coldcard and Sparrow avoid this risk.
Michael P. Di Fulvio
6 min read
·
Just now
--
Share
The Ledger Live Supply-Chain Attack: Protocol-Level Lessons on Dependency Risk in Bitcoin Custody
Abstract
In December 2023, Ledger Live—the software companion to Ledger hardware wallets—was compromised through a poisoned NPM dependency, allowing attackers to silently replace recipient Bitcoin addresses during transaction construction. Nearly $1 million in assets was stolen before the issue was patched. While the Bitcoin protocol and Ledger devices remained uncompromised, the attack revealed the fragility of modern dependency chains and the risks of user complacency during address verification. As of 2025, the stolen funds remain scattered across the blockchain, and the lessons remain urgent: supply-chain vulnerabilities are an ongoing threat, and hardware wallet screens—not application interfaces—must be treated as the final source of truth.
Introduction
In late 2023, Ledger Live—the companion application for Ledger hardware wallets—became the focal point of a supply-chain attack. The incident did not compromise Bitcoin itself, nor the Ledger…
Market Opportunity
Wink Price(LIKE)
$0.004494
$0.004494$0.004494
USD
Wink (LIKE) Live Price Chart
Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.
You May Also Like
Exodus Partners with MoonPay to Launch Fully Reserved USD-Backed Stablecoin on M0 Infrastructure
Exodus, known for its user-friendly self-custody wallet supporting multiple blockchains, will integrate the new stablecoin into its product suite, providing its user base with seamless access to the digital dollar. MoonPay, which has established itself as a leading fiat on-ramp and off-ramp service, brings its payment rails and regulatory relationships to the partnership. M0, a newer entrant focused specifically on stablecoin infrastructure, provides the underlying technology stack.
Share
MEXC NEWS2025/12/17 12:35
Bitcoin-to-Gold Ratio Plunges 50% in 2025 as Precious Metal Outshines Digital Asset
The Bitcoin-to-gold ratio has collapsed by 50% in 2025, marking a dramatic reversal in the relative performance of the two assets often positioned as alternatives to traditional fiat currencies. Gold has surged to record highs on the back of unprecedented central bank accumulation and robust ETF inflows, while Bitcoin has struggled amid persistent ETF outflows and significant selling pressure from long-term holders.
This divergence challenges the narrative that has gained traction over the past decade positioning Bitcoin as "digital gold"—a superior store of value offering gold's monetary properties with added portability, divisibility, and verifiability. In 2025, investors have voted decisively for the original over its digital challenger, at least in relative terms.
Share
MEXC NEWS2025/12/17 12:38
Holiday Season Sees Surge in Crypto Scams as Fraudsters Target Distracted Users
The holiday season has brought an unwelcome gift to the cryptocurrency community: a marked escalation in fraudulent activity across multiple attack vectors. Scammers are ramping up phishing campaigns, fake token presales, romance schemes, impersonation tactics, and malicious applications, all designed to separate distracted users from their digital assets during a period of reduced vigilance.
The timing is deliberate. Holiday distractions, year-end financial activity, and the general atmosphere of goodwill create ideal conditions for social engineering attacks. Users juggling shopping, travel, and family obligations may exercise less caution when reviewing messages or evaluating opportunities. Scammers understand this seasonal psychology and calibrate their campaigns accordingly.
Share
MEXC NEWS2025/12/17 12:41