In the world of digital assets, security isn't just a feature, it's the entire product. For a company like Ledger, the nightmare scenario isn't a loud, brute-force attack; it's a silent, upstream compromise that slips into the build pipeline unnoticed.
Most organizations spend their time reacting to "vulnerability news." They wait for the public disclosure, the CVE number or a security vendor hoping to flag the vulnerability and then the inevitable scramble to patch.
Ledger doesn't wait. When a critical risk was discovered by Depi in Rollup, a core tool used by millions of developers, Ledger's security team was already a week ahead of the rest of the world. The vulnerability could have allowed a malicious actor to run a testing pipeline with malicious code, effectively poisoning the pipeline and pivoting to steal npm credentials and potentially push a backdoor in rollup. Depi had flagged the anomaly autonomously and mapped the risk seven days before the maintainer patched the vulnerability.
The Invisible Enemy: Upstream Risks
The true struggle for a modern security team isn't just fixing bugs; it's seeing the backdoors before they are exploited. Traditional tools tell you when a known vulnerability exists. Depi tells you when something upstream looks wrong, even if it doesn't have a name yet.
"The real breakthrough with Depi is that we're no longer limited to reacting to public disclosures or relying on vendors to detect every threat in the ecosystem"
says Francisco, Senior Software Security Engineer at Ledger.
"Because Depi scans everything upstream, we see anomalies before they happen, not after the community finds them. It gives us visibility into our upstream attack surface from an attacker's perspective."
Beyond the Alert: The Four Questions
Even once a risk is identified, the pressure mounts. Under the clock of a disclosure window, security teams usually drown in noise. They need to answer four questions, fast:
- Ingestion: Where exactly are we pulling this in?
- Impact: Which projects are live with this dependency right now?
- Automation: Where will this be automatically pulled in the next build?
- Containment: What is the safest way to pin this until a fix is ready?
The Decision-Maker's Perspective: Trust as a Currency
For leadership, this isn't just about code, it's about business resilience and brand integrity.
"At Ledger, we never compromise. Waiting for an incident is already a compromise."
explains Vincent Bouzon, Director of Product Security at Ledger.
"We cannot afford to have our developers paralyzed by dependency noise or, worse, blind to upstream risks. Depi gives us the precision to act decisively."
The Result: Precision Over Panic
By the time the Rollup team issued a fix to their pipelines, Ledger had already:
- Identified every impacted project across their entire ecosystem.
- Mapped the blast radius to see exactly how the package was ingested.
- Implemented a pinning strategy to prevent potentially compromised versions from ever hitting their build chain.
This is what mature supply chain defense looks like: not just reacting when the attacker already backdoored your dependencies, but having the upstream visibility to stop it before it reaches your environment.
