Technically, it is just the frontends. You can always interact with the contracts directly and that can't ever be shut down (if you know what you're doing). Can you do that with your bank?
Let's also not forget that every other website on the planet that relies on npm also relies on the blind trust of unverified UI components. This isn't just silo'd to crypto.
> Let's also not forget that every other website on the planet that relies on npm also relies on the blind trust of unverified UI components.
It feels like you think you're making a really good point here. In reality, it's just a run-of-the-mill appeal to popularity. The programmers doing this sort of thing on other websites are in the wrong, too.
If properly configured and audited, this approach can be secure. Github is the only way configured to publish to NPM, and NPM pushes can only be initiated by signed commits from trusted accounts with MFA, the entire workflow is can be secure on its own.
I don't really see the point for a project that doesn't seem to update their code all that often, though. The risk of misconfiguring something doesn't seem worth the effort saved by having someone with a 2FA key upload a tarball generated on their dev machine.
You are right, I should have waited for the postmortem.. it appeared the likely way because the secret was in the release pipeline env.
However.. something doesn't add up. There is no chance that a malicious actor gained access and in a couple of hours put together this exploit. Or, I can't see someone putting together this exploit, THEN trying to spear-phish in hope of getting lucky and pressing the button.
There is an option to always require 2fa when publishing a package.
> To protect your packages, as a package publisher, you can require everyone who has write access to a package to have two-factor authentication (2FA) enabled. This will require that users provide 2FA credentials in addition to their login token when they publish the package.
> Require two-factor authentication and disallow tokens: With this option, a maintainer must have two-factor authentication enabled for their account, and they must publish interactively. Maintainers will be required to enter 2FA credentials when they perform the publish. Automation tokens and granular access tokens cannot be used to publish packages.
NPM optionally enforces 2FA. You can create an automation token to bypass it. In that case depending on how branches are protected a push to the right branch can publish a new package.
Heck if they have an automated deployment and use devs personal GitHub handles all it would take is forgetting to remove an ex employee from the right github access group. Even if you took away all other access when they left.
Actually worse than that, former employee phished for credentials, per Ledger themselves. Underlying cause is utter incompetence by company, 4th strike.