Ledger is warnings users not to use web3 dApps after a supply chain attack on the 'Ledger dApp Connect Kit' library was found pushing a JavaScript wallet drainer that stole $600,000 in crypto and NFTs. Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
Today, Ledger warns users that its Ledger Connect Kit was compromised to include malicious code and that all users should avoid using dApps for now.
This malicious code added to the library is a wallet drainer that automatically steals crypto and NFTs from wallets that connect to the app.
The malicious version of the library has been removed, and a new clean version of the kit, version 1.1.8, was uploaded on Ledger's distribution channels at 2:35 pm CET. However, all potentially impacted projects must replace their malicious version with a clean copy before they are safe to use again.
According to a notice on the impacted GitHub repository, the wallet drainer code affects versions 1.1.5 through 1.1.7 of the Connect Kit, injected into the package via a compromised NPM account.
Ledger has advised users to 'Clear Sign' all transactions, following these instructions.
Users should avoid all interaction with any DApps until they have confirmed that those have moved to a safe version of the Connect Kit.
The company also warned of ongoing phishing attacks attempting to take advantage of the situation, advising users to remain vigilant for messages asking them to share their 24-word secret recovery phrase.
Ledger told Bleeping that its library was compromised after its NPMJS account was breached this morning during a phishing attack on a former employee.
Ledger states that a fix was deployed 40 minutes after Ledger became aware of the breach and that the compromised library was only available for 5 hours.
Ledger has assured users that the core hardware and the main software application used for managing cryptocurrency assets have not been compromised or directly affected by this supply chain attack.
Blockchain security firm SlowMist reports that the compromise started in Ledger Connect Kit 1.1.5 with the attacker leaving a message in the code, possibly as testing.
In versions 1.1.6 and 1.1.7 of the package, heavily obfuscated malicious JavaScript code was also implanted.
BleepingComputer analyzed the script to determine its functionality and found that it attempts to steal cryptocurrency and NFTs from Coinbase, Trust Wallet, and MetaMask.
Reports indicate that approximately $680,000 was stolen in the supply chain attack.
Ledger told BleepingComputer that they had reported the hacker's wallet addresses and that Tether has frozen stolen USDT. Ledger has promised to publish more details about the incident through a comprehensive report later today, but for now, they're focusing on securing the library and investigating the breach.
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.
UK and South Korea: Hackers use zero-day in supply-chain attack.
Hackers breach healthcare orgs via ScreenConnect remote access.
Microsoft: OAuth apps used to automate BEC and cryptomining attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 14 Dec 2023 16:25:15 +0000