Malicar JavaScript Steals $680K from Ledger Cryptocurrencies

Ledger, a popular manufacturer of hardware cryptocurrencies, has issued a warning to its customers regarding the use of Dapps (decentralized applications) due to a recently discovered attack on the supply chain.

The attack involved the injection of malicious JavaScript code into the Ledger Dapp Connect Kit library, which enables Web3 applications to interact with Ledger wallets. This code automatically siphoned off cryptocurrency and NFT from user accounts connected to the service.

The issue was identified on the morning of December 14, after the Ledger account on the NPMJS resource fell victim to a phishing attack. An unknown perpetrator released a malicious version of Connect Kit, affecting versions 1.1.5, 1.1.6, and 1.1.7.

The malicious JavaScript exploited vulnerabilities in a third-party library called Wallet Connect, redirecting users to hackers’ accounts. The compromised versions of Connect Kit were promptly removed by the developers, who released an urgent update, version 1.1.8.

However, third-party DApps that continue to use the old versions remain at risk. Users are strongly advised to refrain from using these applications until the issue is resolved.

Ledger reassures its customers that its main software and hardware have not been compromised. The performance of the company’s most popular products, Ledger Live and its hardware cryptocurrencies, remains unaffected.

Nevertheless, the company warns of increased phishing attacks and urges users to exercise caution. Under no circumstances should users disclose their 24-word secret phrase to attackers.

According to blockchain company slowmist, the compromise of the Ledger library began with version 1.1.5. The perpetrators then added an audit text message to the code.

In versions 1.1.6 and 1.1.7, the code contained a well-disguised malicious JavaScript. Analysis of this script revealed that it also attempted to siphon off cryptocurrency and NFT from services such as Coinbase, Trust Wallet, and Metamask.

The investigation into the incident is still ongoing, and the

/Reports, release notes, official announcements.