According to Cyvers, the attacker caused malicious code to be inserted into multiple app user interfaces, allowing the exploiter to fool users into confirming transactions.
https://cointelegraph.com/news/how-the-ledger-connect-hacker-tricked-users-into-making-malicious-approvals