pull down to refresh

Was the malicious version inserted in the kit by an employer?
Insider threat babyyyyy
Or ledger the company got hacked somewhere that allowed the attacker to push this malicious update. Hard to know without ledger (or the attacker lel) telling us.
reply
If it's an inside job, it's very bad. Basically everything could be compromised.
Shouldn't the commits be multi-keyed?
edit: multisig
reply
I don't know how ledger runs their business, but I got a screenshot of a tweet from another chat (twitter user @MatthewLilley) which says
  1. They are loading JS from a CDN
  2. They are not version locking loaded JS
  3. They had their CDN compromised
reply