Blockchain Firm Ledger Confirms Library ConnectKit Compromise

Jimmy Aki
Last updated: | 2 min read
Source: iStock/welcomia

Hardware wallet provider Ledger has warned users to avoid connecting to any supported decentralized applications (dApps) using its software due to a compromise in its Library ConnectKit.

According to information shared on its X (formerly Twitter) handle, a malicious version of the Library ConnectKit was identified and removed from its backend.

Hence, users are strongly advised against interacting with any dApps temporarily. However, Ledger reassured users that their Ledger devices and Ledger Live apps remain unaffected by the malicious code.

The compromised library connectkit was first discovered by a developer on X with the username @bantg, who stated that the backend of the Ledger software was infused with a drainer.

The drainer was purportedly added to a content delivery network (CDN) that hosted the software library.

Shedding light on how the malicious code was added, Blockaid stated that a cyberattacker injected a “wallet-draining payload into the popular NPM package,” leading to a compromise for dApps using versions 1.14 and above of Ledger’s ConnectKit.

Matthew Lilley, Chief Technology Officer (CTO) of Sush, also disclosed that the LedgerHQ/connectkit loads JS from a CDN account had been compromised. As a result, a malicious JS code was injected into multiple DApps.

Blockchain projects like RevokeCash and Kyber Network have confirmed the incident. RevokeCash briefly suspended its website in response but has since rectified the issue, removing the exploited dependency and reopening its website.

However, the project has advised users against connecting their crypto wallets to any blockchain protocol for the remainder of the day.

Still Not Safe After Issue Is Addressed

The Ledger protocol has confirmed the deployment of authentic software and is actively working to eliminate the wallet-draining payload from its CDN service.

Despite these efforts, industry experts are advising caution among crypto users when engaging with any Web3-based solutions for the time being.

Ethereum core developer Hudson Jameson explained that if any crypto user visits any of the numerous dApps linked to the Ledger ecosystem, browser prompts like Metamask could reveal their crypto wallet details.

This vulnerability poses a risk of asset compromise. To mitigate this risk, users are strongly advised to refrain from interacting with any affected dApps until the update is released.

Jameson emphasized that even after the removal of the malicious code, all connected dApps must update their libraries before they can be considered safe for use.