Developers are asking customers to be careful with decentralized applications.
Ledger, a popular manufacturer of hardware crypto wallets, has warned its customers about the dangers of using dApps (decentralized applications). The reason was a detected attack on the supply chain.
Attackers have embedded malicious javascript code in the Ledger DApp Connect Kit library, which allows web3 applications to interact with Ledger wallets. This code automatically stole cryptocurrency and NFT from accounts connected to the service.
According to the company, the problem was identified on the morning of December 14, after the Ledger account on the NPMJS resource was subjected to a phishing attack. Unknown people published a malicious analog of Connect Kit, affecting versions 1.1.5, 1.1.6 and 1.1.7.
Malicious javascript exploited a vulnerability in the third-party Wallet Connect library to redirect user funds to hackers ' accounts. The developers removed the compromised versions of Connect Kit and urgently released a new one — 1.1.8.
However, the danger remains for third-party dApps that still run on older versions. Users are advised to refrain from using these apps until the problem is resolved.
As assured in Ledger, the main software and hardware were not affected. The performance of the company's most popular products, Ledger Live and the hardware crypto wallets themselves, was not affected.
However, the company warned about the intensification of phishing attacks. Users are advised to be vigilant and under no circumstances report a 24-word secret phrase to intruders.
According to the blockchain company SlowMist, the compromise of the Ledger library began with version 1.1.5. Then the criminals added a text message to the code as a check.
Versions 1.1.6 and 1.1.7 already contained well-disguised malicious javascript . Analysis of this script revealed that it also attempted to steal cryptocurrency and NFTs from services such as Coinbase, Trust Wallet, and MetaMask.
The investigation of the incident is still ongoing. The extent of the damage has not yet been determined, although there have been reports of theft of about $ 680,000. Ledger has already provided the wallet addresses of the attackers, and the Tether team froze some of the stolen funds in USDT.
Ledger, a popular manufacturer of hardware crypto wallets, has warned its customers about the dangers of using dApps (decentralized applications). The reason was a detected attack on the supply chain.
Attackers have embedded malicious javascript code in the Ledger DApp Connect Kit library, which allows web3 applications to interact with Ledger wallets. This code automatically stole cryptocurrency and NFT from accounts connected to the service.
According to the company, the problem was identified on the morning of December 14, after the Ledger account on the NPMJS resource was subjected to a phishing attack. Unknown people published a malicious analog of Connect Kit, affecting versions 1.1.5, 1.1.6 and 1.1.7.
Malicious javascript exploited a vulnerability in the third-party Wallet Connect library to redirect user funds to hackers ' accounts. The developers removed the compromised versions of Connect Kit and urgently released a new one — 1.1.8.
However, the danger remains for third-party dApps that still run on older versions. Users are advised to refrain from using these apps until the problem is resolved.
As assured in Ledger, the main software and hardware were not affected. The performance of the company's most popular products, Ledger Live and the hardware crypto wallets themselves, was not affected.
However, the company warned about the intensification of phishing attacks. Users are advised to be vigilant and under no circumstances report a 24-word secret phrase to intruders.
According to the blockchain company SlowMist, the compromise of the Ledger library began with version 1.1.5. Then the criminals added a text message to the code as a check.
Versions 1.1.6 and 1.1.7 already contained well-disguised malicious javascript . Analysis of this script revealed that it also attempted to steal cryptocurrency and NFTs from services such as Coinbase, Trust Wallet, and MetaMask.
The investigation of the incident is still ongoing. The extent of the damage has not yet been determined, although there have been reports of theft of about $ 680,000. Ledger has already provided the wallet addresses of the attackers, and the Tether team froze some of the stolen funds in USDT.
