Key facts:
- Ledger advises waiting 24 hours before using the Ledger Connect Kit again.
- The new version of the library “is propagating automatically,” they reported.
On Thursday, December 14, users, developers and everyone close to any decentralized application (dApp) received an alarm signal. It was because the Ledger Connect Kit library, widely used in this context, was the victim of a cybersecurity attack.
After several hours of concern, and even after the official confirmation of the security breach by Ledger, calm seems to have arrived. The company, which also manufactures hardware wallets – which were not at risk in this case – communicated that it has already replaced the malicious library with an authentic version, which “is spreading automatically”. In any case, Ledger recommends not using the Ledger Connect Kit for at least 24 hours.
The root of the whole problem was that a Ledger employee suffered a phishing attack through which his access to his NPM (Node Package Manager) account was leaked. NPM is a package management system for Node.js, a JavaScript application development platform. An account on that platform allows developers to publish, manage and share their software packages with the community.
Thus, the hacker published a malicious version of Ledger Connect Kit in versions 1.1.4, 1.1.5 and 1.1.6. He also used a corrupted version of Wallet Connect to direct the funds of users who interacted with Ledger Connect Kit in dApps and DeFi to his own wallet.
As explained by sources with expertise in the subject, and as reported by CriptoNoticias, the vulnerability in the aforementioned versions of Ledger Connect Kit gave the possibility of introducing malicious code into the front end of a dApp. In other words, the attacker could cause users to interact with an altered interface without them realizing it.
Ledger says it fixed the security breach in less than 40 minutes. However, the vulnerability was active for a period of close to 5 hours, with a window of approximately two hours in which funds could have been stolen. users.
In this sense, the company says it is in communication with clients whose funds may have been affected and “working proactively” to help those people. In addition, Ledger reported that he is “filing a complaint and collaborating with police authorities in the investigation to identify the attacker.”
The company urged developers to check if they are using the latest version of Ledger Connect Kit, v. 1.1.8. Likewise, there are still additional safety measures that must be taken to stay safe. In this regard, the developer Mudit Gupta, head of computer security at Polygon Labs, recommended checking the cache for the altered code.
«To make sure you don’t have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1 and make sure the version is 1.1. 8. If not, clear your cache,” wrote on social network X (formerly Twitter).
At the end of his statement, Ledger thanked the collaboration of other companies, such as Chainalysis, which helped identify the attacker’s alleged wallet and Tether, which froze USDT funds at that address. The involvement of Wallet Connect, which quickly disabled the corrupt version of its software used by the attacker, is also highlighted in the statement.
