[KomoD]

Source?

Their twitter says "This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account."

And Github Actions automatically redacts the secret in the log

[Daviey]

You are right, I should have waited for the postmortem.. it appeared the likely way because the secret was in the release pipeline env.

However.. something doesn't add up. There is no chance that a malicious actor gained access and in a couple of hours put together this exploit. Or, I can't see someone putting together this exploit, THEN trying to spear-phish in hope of getting lucky and pressing the button.

[ezekg]

> I can't see someone putting together this exploit, THEN trying to spear-phish in hope of getting lucky and pressing the button.

How can you not see someone doing that? The effort netted them $600k.

Is this not how exploits work? Build the exploit and then try to use it by finding an "in." They don't find an "in" and then build the exploit.