The integrity of Ledger's ConnectKit Library has been breached, leading to serious implications for the safety of Web 3.0 applications.

A security incident has impacted the Web3 space, affecting the library essential for connecting Ledger Live with other applications. This hack involves the substitution of the library with a malicious drainer script, posing a significant risk to users' funds. Ledger ConnectKit The compromised ConnectKit package automatically loads a harmful JavaScript script from cdn.jsdelivr.net, which includes a draining component, into the global scope.

This breach has rendered the frontend of applications using this library vulnerable, particularly after users have authorized their transactions. Reports suggest that attackers have tampered with the wallet connection interface, endangering all wallet holders, not just those utilizing specific services.

🚨 We've successfully identified and eliminated the malicious version of the Ledger Connect Kit. 🚨 Ledger Live .

We are currently deploying the legitimate version to overwrite the harmful file. Please refrain from interacting with any decentralized applications for now, and we'll keep you updated as new information comes to light.

Prominent cryptocurrency security experts, including banteg, have validated the compromise of the Ledger library, advising against engaging with any decentralized applications until further clarity is established. The vulnerability seems to extend to the ledger connect-kit-loader, which has a loosely defined dependency.

Your Ledger device and…

— Ledger (@Ledger) December 14, 2023

Warnings Issued by Ledger Security

This attack could potentially affect a wide range of stakeholders, as evidenced by a list of compromised libraries and applications utilizing the service. Ledger's recommendation to use the connect-kit loader for loading connect-kit complicates matters, as even pinned versions of the loader fetch the latest version of connect-kit, facilitating extensive infiltration. dApps 🚨 The Ledger library has been confirmed compromised, and has been replaced with a malicious drainer. It’s advised to hold off on interacting with any dapps until the situation clarifies.

The attackers have been successful in compromising a notable number of libraries simply by targeting the connect-kit. Ledger indicates that version 1.1.4 is the last verified safe version, while considering all versions up to 1.1.7, released on the day of the breach, as vulnerable. @ledgerhq/connect-kit This security incident highlights the urgent need for strong cybersecurity measures in the rapidly advancing Web 3.0 environment, which is not immune to advanced cyber threats even for established tools like Ledger’s library.

Please keep in mind that the information provided here should not be regarded as legal, tax, investment, financial, or any other form of advice. It's essential to only invest amounts you can afford to lose and to seek independent financial counsel if you have any uncertainties. For more details, we recommend reviewing the terms and conditions as well as the help and support resources provided by the issuer or advertiser. MetaversePost aims for truthful, impartial reporting, though market conditions may change unexpectedly. https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv

— banteg (@bantg) December 14, 2023

Nik is a skilled analyst and writer at Metaverse Post, known for providing cutting-edge insights into the dynamic tech scene, particularly focusing on AI/ML, XR, VR, on-chain analytics, and blockchain innovation. His writing captures the attention of a diverse audience, assisting them in staying abreast of technological advancements. With a Master’s degree in Economics and Management, Nik possesses a deep understanding of the business landscape and its convergence with innovative technologies.

Cryptocurrencylistings.com has rolled out CandyDrop to streamline the acquisition of cryptocurrencies and enhance user interaction with quality projects.