The official Ledger post is here: [1] and we have asked there: "If there would be a post-mortem". Personally I think companies such as Ledger should be very aware and active over supply chain attacks [2]. They are not the first and they are a security company.
Can anyone using the NPM ecosystem actually control their supply chain? Personally, I feel that anyone using JavaScript doesn’t care about such things. Because they can’t. Or has the landscape changed?
You can make things a bit better immediately by installing on outbound firewall like Little Snitch or Open Snitch.
And then if you install a malicious package that phones home, you might get an alert.
Of course this doesn't guarantee anything, as the package might activate the malicious behavior only under some specific circumstances. But it also doesn't cost anything. So it's a small win in my book.
I mean, I use NPM, but I'm making a small traffic news site with no APT enemies. If you're making a wallet and think "Yes, auto-updating dependencies sounds like a good idea," maybe you're not very good at security?
It will not; this is an identical attack to the Copay wallet hack over 5 years ago.
Solutions like lavamoat have been proposed and implemented in places, but they will not scale to the entire industry. There's a bigger problem in how innovation speed / developer convenience is inversely related to security.
In many cases it's literally cheaper to just wait for an attack and make victims whole. And even if not, it's hard to explain to your investors why it takes you half a year to build a product that took your competitors a month, so you just pretend the threat doesn't exist.
I think is more about solving some supply-chain attacks. For example adding a hash in a central place to check if the CDN content is valid. Something around that.
This is literally done intentionally so that Ledger can update the library underneath dApp developers, without requiring them to release an upgrade to their apps. Was this a good choice? No. But it was done on purpose.
I don't have that expectation, why would some library for dApps (or some other crypto nonsense) care about security? Like do you take this industry seriously? Why on earth would you?
[1] https://nitter.net/Ledger/status/1735291427100455293
[2] https://en.wikipedia.org/wiki/Supply_chain_attack