Ledger ConnectKit Library Compromised with a Drainer, Posing Security Risks to Web3 Apps

by Nik Asti

Published: December 14, 2023 at 8:48 am Updated: December 14, 2023 at 8:48 am

by Victor Dey

Edited and fact-checked: December 14, 2023 at 8:48 am

In Brief

Ledger’s ConnectKit library was breached, replacing the legitimate tool with a drainer script that exposed numerous Web3 apps.

Ledger ConnectKit Library Compromised, Posing Security Risks to Web 3.0 Applications

A security breach occurred in the Web3 sphere, compromising the Ledger ConnectKit library, crucial for linking Ledger Live with applications. This hack involves the replacement of the library with a ‘drainer’ script, posing a serious threat to user funds.

The compromised package, ConnectKit —- automatically loads a JavaScript script from cdn.jsdelivr.net, which includes a drainer, into the global scope.

This infiltration made the frontend of applications using this library vulnerable, particularly after user authorization. Reports indicate that attackers have altered the wallet connection modal window, putting all wallet owners at risk, not just those using Ledger Live.

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and…
— Ledger (@Ledger) December 14, 2023

Warnings Issued by Ledger Security

Notable cryptocurrency security experts, including banteg, have confirmed the Ledger library’s compromise and are advising against interactions with any decentralized applications (dApps) until more clarity emerges. The vulnerability appears to also affect the ledger connect-kit-loader, as it specifies the dependency loosely.

The attack potentially impacts a wide range of parties, as indicated by a list of affected libraries and applications using the @ledgerhq/connect-kit. Ledger’s suggestion to use connect-kit loader for loading connect-kit exacerbates the issue, as even pinned versions of the loader fetch the latest version of connect-kit, leading to widespread infiltration.

🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023

Attackers have managed to compromise a significant number of libraries by targeting just the connect-kit. Ledger identifies version 1.1.4 as the last known safe release, but considers all releases up to 1.1.7, posted on the day of the attack, as compromised.

This security incident underscores the critical importance of robust cybersecurity measures in the rapidly evolving Web 3.0 domain, where even well-established tools like Ledger’s library are not immune to sophisticated cyber attacks.

Tags:

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Nik Asti