Hardware wallet provider Ledger has warned users to avoid connecting to any supported decentralized applications (dApps) using its software due to a compromise in its Library ConnectKit.
According to information shared on its X (formerly Twitter) handle, a malicious version of the Library ConnectKit was identified and removed from its backend.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Hence, users are strongly advised against interacting with any dApps temporarily. However, Ledger reassured users that their Ledger devices and Ledger Live apps remain unaffected by the malicious code.
The compromised library connectkit was first discovered by a developer on X with the username @bantg, who stated that the backend of the Ledger software was infused with a drainer.
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023
The drainer was purportedly added to a content delivery network (CDN) that hosted the software library.
Shedding light on how the malicious code was added, Blockaid stated that a cyberattacker injected a “wallet-draining payload into the popular NPM package,” leading to a compromise for dApps using versions 1.14 and above of Ledger’s ConnectKit.
🚨 We’ve detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T— Blockaid (@blockaid_) December 14, 2023
Matthew Lilley, Chief Technology Officer (CTO) of Sush, also disclosed that the LedgerHQ/connectkit loads JS from a CDN account had been compromised. As a result, a malicious JS code was injected into multiple DApps.
No, LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023
Blockchain projects like RevokeCash and Kyber Network have confirmed the incident. RevokeCash briefly suspended its website in response but has since rectified the issue, removing the exploited dependency and reopening its website.
⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger’s ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we’re investigating further. We recommend not using *any* crypto website…— Revoke.cash (@RevokeCash) December 14, 2023
However, the project has advised users against connecting their crypto wallets to any blockchain protocol for the remainder of the day.
Still Not Safe After Issue Is Addressed
The Ledger protocol has confirmed the deployment of authentic software and is actively working to eliminate the wallet-draining payload from its CDN service.
Despite these efforts, industry experts are advising caution among crypto users when engaging with any Web3-based solutions for the time being.
Ethereum core developer Hudson Jameson explained that if any crypto user visits any of the numerous dApps linked to the Ledger ecosystem, browser prompts like Metamask could reveal their crypto wallet details.
This vulnerability poses a risk of asset compromise. To mitigate this risk, users are strongly advised to refrain from interacting with any affected dApps until the update is released.
Ledger Library Exploit Explainer for Average Folks
What is going on with the recent alerts not to use dapps?
A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.
What do I do as a normal user?
Do not interact with… https://t.co/exre0QfykD
— Hudson Jameson (@hudsonjameson) December 14, 2023
Jameson emphasized that even after the removal of the malicious code, all connected dApps must update their libraries before they can be considered safe for use.