IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer.

[nelson4lov]

Apparently, Ledger is in the news again for the wrong reasons.

At first, SuchiSwap CTO (one of the leading DEXs) made a tweet about the suspected vulnerability.



The primary issue is that the Ledger ConnectKit NPM package Library that is used across majority of decentralized applications was updated few hours ago with malicious code (drainer):



How come?

It looks like the NPM key was leaked via a github action  which means Anyone can invoke the action via a PR on Ledger's GitHub Orgs, then leak that key by crafting a malicious package.json.




Right now, any user interacting with any and all Dapps could potentially be exposed to the vulnerability and end up losing all funds to drainers. According to my research so far, it doesn't include users who are just using Ledger for day-to-day transfers with no interactions and prior interactions before the vulnerability was disclosed appears to good.

Side note: This only shows how poorly the Ledger team takes security and their continued negligence of the security of their products and services.

Update #1: Ledger has confirmed the vulnerability report:

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised.

[1714505731]

1714505731

[rhomelmabini]

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

[criptoevangelista]

The important thing now is not to interact with absolutely anything on chain until the problems are resolved.

again problems with the ledger. I use a ledger nano X and from now on I will consider getting a new hardwallet.

[nelson4lov]

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

[rhomelmabini]

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

[OmegaStarScream]

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary?  I don't believe I have seen many sites using that lately?

[nelson4lov]

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary?  I don't believe I have seen many sites using that lately?

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

[criptoevangelista]

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

[Kryptowerk]

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

[btc_penguin]

Anyone knows whether Electrum uses the library as well?

[nelson4lov]

Thanks for the warning and updates @nelson4lov

Soon I can start an info thread with a list of all the Ledger f-ups that happened over the years. It's getting longer and longer.

I'm not up-to-date with all these web3 dApp stuff - what actually is affected here? Are we talking about swap-dApps and Defi-stuff or anything else?
Also, does this only affect tokens on the Ethereum chain or also others?

No tokens or core Ethereum protocol was affected. The Ledger ConnectKit Library is a common Library that is usually used for connecting wallets in order to interact with Dapps (staking, swapping, Money markets, etc). Being compromised means any user that connects to any decentralized application via a "connect wallet" kit is likely to get drained since there is malicious drainer embedded in the library being used.

This is a case of a library being popularly used in frontends getting compromised.

[rhomelmabini]

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

The drainer doesn't come from the signing message but was on the WalletConnect modal and the drainer was faking that popup modal with different appearance during the dApp connection phase. I already identify that during my interaction with revoke.cash they already made the site offline but I'm still being vigilant for further announcement.

Not necessarily I would switch considering there has been some staked assets on my wallet and the advisory that no interaction yet on any dApps means I won't be able to get them out as well. Still monitoring the incident and glad we have huge helpful community not just here but on Twitter/X as well.

[SquirrelJulietGarden]

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

dApps and smart contracts are not smart all all as they can be exploited by scammers.

I don't want to touch them too much and if I use dApp and smart contract with interactions, I will create a new wallet with small fund for it. If anyone use only one wallet, store all fund there but are ready to explore around new platforms, dApps, smart contracts, such interactions are risky and drain all money in that wallet.

I don't mind about Ledger and the advice is general for practice with fund, wallet and any interaction that can steal your money.

[gunhell16]

That's worrying, I even ordered a hardware wallet and I'm just waiting for it to arrive, really the exploitative person will do anything when there is an opportunity to attack other people to steal.

I hope it can be resolved properly and they can innovate more securely without disturbing the HW holders in these situations we have today. How many times have these issues happened? Wasn't there something before in the ledger too, right?

[KiaKia]

It just get to my notice right now, and I already created another topic, this is so messed up with Ledger, I am glad that I am not using the Nano that was sent to me by a friend as a gift, I just don't feel safe using the wallet.

I think the best solution is to avoid connecting your hardware wallet to anything, if you want to sell, send from your hardware wallet to a hot wallet first and use the hot wallet to connect to anything, correct me if I am wrong? I believe this is even a good advice for all hardware wallet users.

As those who are trapped use their ledger to connect, I don't do this even while I am using a air gapped hardware wallet.

[cheezcarls]

Most of the important assets are in my Ledger, but I’ve never connect it to Dapps as it’s only treated for long term storage. These hackers are getting smarter overtime, so DeFi and Web3 are still young and has long ways to go because of one of their major weakness which is the cybersecurity side.

On top of that, I have disconnected my burner Metamask wallet in all of the sites that I have interacted.

It looks like that the wallets implementing the traditional seed phrase and private key model are the most vulnerable of all and are targeted by the hackers whether if it’s cold or hot non-custodial type.

[m2017]

Would you like a little dose of conspiracy theory?

After this compromise, Ledger will definitely release new firmware for their devices (they can’t help but do this), into which you can integrate any program code directed against the interests of ledger owners (like even more tracking and obtaining personal data or even gaining complete control over their means).

Horror story (they could have pulled this off a long time ago).

But seriously, what can I say. Ledger screwed up again. Happens. I mean, it has happened more than once. We weren't surprised at all. I wonder what the next fakap will be?

[so98nn]

Thanks for the heads up.

What is the protocol here? Should I control my urge to connect the ledger to a PC and the internet now? My soul purpose for having a Ledger is to store my coins for a very long duration and I rarely connect my Ledger and go live. I have had terrible experiences in the past so I am either not connecting it every day or just rarely synch the new balances, check the updates, and bug fixes only.

Though the news only states we should not be connecting to dApps, what happens if I just connect it normally synch with the network? Because I know if I connect and if there are any updates for let us say wallets of different coins then it will start auto downloainf it. I just don't want to get involve with any of the mess right now when the balance is loaded.

[Z-tight]

Anyone knows whether Electrum uses the library as well?

This is about Ledger and their connector library, i do not know too much about Dapps and how some of them use ledger's connector library, but this has nothing to do with Electrum, even if you have your Electrum connected to your Ledger wallet, just make sure you're running your own node for better privacy and security. Ledger isn't a recommended hardware wallet, so people should not even be using this hardware wallet in the first place.

[cygan]

as Metamask announces, this affects not only Ledger users but everyone who uses dapps. at the same time, Metamask has deployed a fix for its users:


https://nitter.net/MetaMask/status/1735318141285085513

and according to this tweet you can see very well how the malicious 'connect wallet' popup menu opens over the original and offers the user various options:


https://nitter.net/apoorvlathey/status/1735281719216071019