Hardware wallet provider Ledger has issued a warning to its users, urging them to refrain from connecting to any supported decentralized applications (dApps) using its software due to a compromise in its Library ConnectKit. The company identified and removed a malicious version of the Library ConnectKit from its backend, highlighting the potential security risk.
According to Ledger’s announcement on X (formerly Twitter), users are strongly advised not to interact with any dApps temporarily. The compromised library ConnectKit was discovered by a developer on X with the username @bantg, who identified a “wallet-draining payload” injected into the Ledger software library hosted on a content delivery network (CDN). The compromise affects dApps using versions 1.14 and above of Ledger’s ConnectKit.
Ledger reassured users that their Ledger devices and Ledger Live apps remain unaffected by the malicious code. However, caution is urged until further updates and fixes are implemented.
Blockchain projects, including RevokeCash and Kyber Network, confirmed the incident. RevokeCash briefly suspended its website to rectify the issue, and users are advised not to connect their crypto wallets to any blockchain protocols until the situation is resolved.
Despite efforts to eliminate the compromised code, industry experts recommend exercising caution when interacting with any Web3-based solutions tied to the Ledger ecosystem. Ethereum core developer Hudson Jameson emphasized the importance of updating connected dApps’ libraries to ensure user safety.
As the situation evolves, users should stay informed about updates from Ledger and exercise diligence when using dApps in the meantime.
Disclaimer: This information is provided for informational purposes only and does not constitute financial or security advice. Users should take appropriate precautions and conduct further research based on their individual circumstances.