An attack on Ledger’s connector library could impact the entire Ethereum Virtual Machine (EVM) ecosystem. according to To the team at Linea, Consensys’ zero-knowledge rollup.
Hackers targeted the Ledger connector library, which is designed to enable communication between Ledger hardware wallets and various decentralized applications (DApps). Wallet provider MetaMask was also affected by the security incident.
Dear web3 users,
This vulnerability appears to affect multiple dapps across the entire EVM ecosystem. It is extremely risky to interact with the dapp until the issue is properly resolved.Stay safe out there! https://t.co/kFykLW4lWm
— Linea (@LineaBuild) December 14, 2023
According to a post by X (on Twitter), MetaMask has released an update to address issues with the MetaMask portfolio. “Before performing any transaction on your MetaMask portfolio, please ensure that the Blockaid feature is turned on in your MetaMask Extension.” warned At X.
Other affected protocols include Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. Blockchain security company CertiK told Cointelegraph that any DApp that imports a ledger CDN automatically runs drainer code, forcing victims to connect through a supported wallet.
Ledger is a popular hardware wallet used by many in the cryptocurrency community. The connector library is an important component that connects between Ledger hardware and various DApps. If this library is compromised, it can affect many EVM users and transactions.
The attack began after a former Ledger employee suffered a phishing attack and had his NPMJS account compromised. “The attackers published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). “The malware used the malicious WalletConnect project to reroute funds to the hacker’s wallet,” the company wrote to X.
The fix was released nearly 40 minutes after Ledger discovered the issue. The company is warning users to wait 24 hours before using the Ledger Connect Kit again.
Final schedule and customer updates:
4:49 PM (CET):
Ledger Connect Kit retail version 1.1.8 is now automatically propagated. We recommend waiting 24 hours before using the Ledger Connect Kit again.
The investigation continues, and here is a timeline of what we know…
— Ledger (@Ledger) December 14, 2023
Blockchain analytics platform Lookonchain claimed hackers stole nearly $484,000 worth of assets, but the impact of the security breach could have been greater, Ledger said.
magazine: Two years after John McAfee’s death, his widow Janice is broke and needs answers.