News Report Software Technology
December 14, 2023

Ledger ConnectKit Library Compromised with a Drainer, Posing Security Risks to Web3 Apps

In Brief

Ledger’s ConnectKit library was breached, replacing the legitimate tool with a drainer script that exposed numerous Web3 apps.

Ledger ConnectKit Library Compromised, Posing Security Risks to Web 3.0 Applications

A security breach occurred in the Web3 sphere, compromising the Ledger ConnectKit library, crucial for linking Ledger Live with applications. This hack involves the replacement of the library with a ‘drainer’ script, posing a serious threat to user funds.

The compromised package, ConnectKit —- automatically loads a JavaScript script from cdn.jsdelivr.net, which includes a drainer, into the global scope.

This infiltration made the frontend of applications using this library vulnerable, particularly after user authorization. Reports indicate that attackers have altered the wallet connection modal window, putting all wallet owners at risk, not just those using Ledger Live.

Warnings Issued by Ledger Security

Notable cryptocurrency security experts, including banteg, have confirmed the Ledger library’s compromise and are advising against interactions with any decentralized applications (dApps) until more clarity emerges. The vulnerability appears to also affect the ledger connect-kit-loader, as it specifies the dependency loosely.

The attack potentially impacts a wide range of parties, as indicated by a list of affected libraries and applications using the @ledgerhq/connect-kit. Ledger’s suggestion to use connect-kit loader for loading connect-kit exacerbates the issue, as even pinned versions of the loader fetch the latest version of connect-kit, leading to widespread infiltration.

Attackers have managed to compromise a significant number of libraries by targeting just the connect-kit. Ledger identifies version 1.1.4 as the last known safe release, but considers all releases up to 1.1.7, posted on the day of the attack, as compromised.

This security incident underscores the critical importance of robust cybersecurity measures in the rapidly evolving Web 3.0 domain, where even well-established tools like Ledger’s library are not immune to sophisticated cyber attacks.

Disclaimer

In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.

About The Author

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

More articles
Nik Asti
Nik Asti

Nik is an accomplished analyst and writer at Metaverse Post, specializing in delivering cutting-edge insights into the fast-paced world of technology, with a particular emphasis on AI/ML, XR, VR, on-chain analytics, and blockchain development. His articles engage and inform a diverse audience, helping them stay ahead of the technological curve. Possessing a Master's degree in Economics and Management, Nik has a solid grasp of the nuances of the business world and its intersection with emergent technologies.

Hot Stories

Missed Bitcoin’s Rise? Here’s What You Should Know

by Victoria d'Este
December 20, 2024
Join Our Newsletter.
Latest News

From Ripple to The Big Green DAO: How Cryptocurrency Projects Contribute to Charity

Let's explore initiatives harnessing the potential of digital currencies for charitable causes.

Know More

AlphaFold 3, Med-Gemini, and others: The Way AI Transforms Healthcare in 2024

AI manifests in various ways in healthcare, from uncovering new genetic correlations to empowering robotic surgical systems ...

Know More
Read More
Read more
Transak Increases Accessibility To Memecoins By Listing 11 New Tokens
Markets News Report Technology
Transak Increases Accessibility To Memecoins By Listing 11 New Tokens
December 20, 2024
Missed Bitcoin’s Rise? Here’s What You Should Know
Opinion Business Markets Technology
Missed Bitcoin’s Rise? Here’s What You Should Know
December 20, 2024
The Explosive Rise of Crypto Theft in 2024 with North Korea Leading the Charge
Opinion Business Markets Software Technology
The Explosive Rise of Crypto Theft in 2024 with North Korea Leading the Charge
December 20, 2024
Multiple Network Unveils Brand Upgrade, Focusing On Privacy Protection And Data Acceleration 
News Report Technology
Multiple Network Unveils Brand Upgrade, Focusing On Privacy Protection And Data Acceleration 
December 20, 2024