News Report Software Technology
December 14, 2023

Ledger ConnectKit Library Compromised with a Drainer, Posing Security Risks to Web3 Apps

In Brief

Ledger’s ConnectKit library was breached, replacing the legitimate tool with a drainer script that exposed numerous Web3 apps.

Ledger ConnectKit Library Compromised, Posing Security Risks to Web 3.0 Applications

A security breach occurred in the Web3 sphere, compromising the Ledger ConnectKit library, crucial for linking Ledger Live with applications. This hack involves the replacement of the library with a ‘drainer’ script, posing a serious threat to user funds.

The compromised package, ConnectKit —- automatically loads a JavaScript script from cdn.jsdelivr.net, which includes a drainer, into the global scope.

This infiltration made the frontend of applications using this library vulnerable, particularly after user authorization. Reports indicate that attackers have altered the wallet connection modal window, putting all wallet owners at risk, not just those using Ledger Live.

Warnings Issued by Ledger Security

Notable cryptocurrency security experts, including banteg, have confirmed the Ledger library’s compromise and are advising against interactions with any decentralized applications (dApps) until more clarity emerges. The vulnerability appears to also affect the ledger connect-kit-loader, as it specifies the dependency loosely.

The attack potentially impacts a wide range of parties, as indicated by a list of affected libraries and applications using the @ledgerhq/connect-kit. Ledger’s suggestion to use connect-kit loader for loading connect-kit exacerbates the issue, as even pinned versions of the loader fetch the latest version of connect-kit, leading to widespread infiltration.

Attackers have managed to compromise a significant number of libraries by targeting just the connect-kit. Ledger identifies version 1.1.4 as the last known safe release, but considers all releases up to 1.1.7, posted on the day of the attack, as compromised.

This security incident underscores the critical importance of robust cybersecurity measures in the rapidly evolving Web 3.0 domain, where even well-established tools like Ledger’s library are not immune to sophisticated cyber attacks.

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

More articles
Nik Asti
Nik Asti

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Hot Stories

Turning Domains into the Backbone of Web3 with D3

by Victoria d'Este
May 23, 2025
Join Our Newsletter.
Latest News

The Calm Before The Solana Storm: What Charts, Whales, And On-Chain Signals Are Saying Now

Solana has demonstrated strong performance, driven by increasing adoption, institutional interest, and key partnerships, while facing potential ...

Know More

Crypto In April 2025: Key Trends, Shifts, And What Comes Next

In April 2025, the crypto space focused on strengthening core infrastructure, with Ethereum preparing for the Pectra ...

Know More
Read More
Read more
DeFi Execution Without the DeFi Headache With Pluton Finance
Hack Seasons Interview Business Markets Technology
DeFi Execution Without the DeFi Headache With Pluton Finance
May 23, 2025
Turning Domains into the Backbone of Web3 with D3
Hack Seasons Interview Business Markets Technology
Turning Domains into the Backbone of Web3 with D3
May 23, 2025
DOP Proposes Bold Tokenomics Reset to Help Spur Ecosystem Growth Even Further
Press Releases Technology
DOP Proposes Bold Tokenomics Reset to Help Spur Ecosystem Growth Even Further
May 23, 2025
Gate’s GET To Transform Entertainment With Web3-Powered Participatory Economy
News Report Technology
Gate’s GET To Transform Entertainment With Web3-Powered Participatory Economy
May 23, 2025