December 14, 2023 at 11:25AM
Ledger warns users not to use web3 dApps after a supply chain attack compromised their “Ledger dApp Connect Kit” library, causing a JavaScript wallet drainer to steal $600,000 in crypto and NFTs. The company removed the malicious version, uploaded a clean version, and advised users to clear sign transactions and be vigilant against phishing attacks.
The key takeaways from the meeting notes are as follows:
– Ledger issued a warning to users to avoid using web3 dApps due to a supply chain attack on the “Ledger dApp Connect Kit” library, which resulted in the theft of $600,000 in crypto and NFTs.
– The compromised library has been identified as versions 1.1.5 through 1.1.7, and a clean version (1.1.8) has been uploaded on Ledger’s distribution channels.
– Ledger has advised users to replace the compromised versions of the library with the new clean version, and to “Clear Sign” all transactions.
– Phishing attacks are also ongoing, with users being warned to remain vigilant for messages asking them to share their 24-word secret recovery phrase.
– The compromise was initiated through the breaching of Ledger’s NPMJS account during a phishing attack on a former employee, and the compromised library was available for 5 hours.
– The core hardware (Ledger device) and the main software application (Ledger Live) used for managing cryptocurrency assets have not been compromised.
– The compromise involved the deployment of a wallet drainer that attempted to steal cryptocurrency and NFTs from Coinbase, Trust Wallet, and MetaMask.
– Approximately $680,000 was stolen in the supply chain attack, and Ledger has reported the hacker’s wallet addresses, with Tether freezing stolen USDT.
– Ledger plans to publish a comprehensive report on the incident later today, with a focus on securing the library and investigating the breach.
These takeaways summarize the key points and actions arising from the meeting notes.