TechFlow news: Yu Xian, founder of SlowMist, posted on X platform regarding the Ledger Connect Kit vulnerability incident, advising project teams to pay attention to the following:
- The poisoned module involved in the Ledger incident was hosted on the npmjs platform. After the former employee's npmjs account was compromised through phishing, attackers were able to publish malicious versions of the module at will.
- Once published, the module is automatically synced to the jsDelivr CDN network.
- Ledger’s Connect Kit directly imports JavaScript files from jsDelivr CDN without binding file hashes or strictly restricting version imports—this approach is overly simplistic and risky.
- A former employee still had access to such a critical permission, indicating that internal security management needs significant improvement. Apply the principle of least privilege: if an insider acts maliciously, can it be effectively prevented and promptly detected?
- Note that although the poisoned versions have been removed from Ledger’s npmjs repository, the malicious JavaScript files are still accessible via jsDelivr.
These security recommendations are provided for other projects to learn from. Don’t cut corners—every security incident is an opportunity to review and strengthen your own defenses.




