Ledger releases library update as users advised to avoid dApps
Onchain detectives discovered that a CDN breach had substituted the compromised library with a drainer.
Ledger, a maker of crypto hardware wallets, has acknowledged a security breach affecting its ConnectKit library.
“The Ledger Connect Kit was scanned, and a malicious version was deleted. The malicious file is now being replaced with a legitimate version. Stay away from decentralized applications (dApps) right now. “
An official from Yearn.finance, Banteg, said: “Drainer was installed after a proven breach of the ledger library. Refrain from engaging with any [decentralized apps] until the situation is clarified.”
Additionally, the creator mentioned: “If the hackers managed to get their hands on the connect-kit, they would have compromised a plethora of libraries. The ledger has identified 1.1.4 as being the most recent version.
Until further notice, users of SushiSwap and Revoke Cash, two of the DeFi projects affected by the incident, are recommended not to interact with their frontend.
“We’ve discovered a serious problem with the ledger connector. It has been compromised, and malicious code could be injected and affect different decentralized applications,” SushiSwap said.
A vice president of Polygon Labs, Hudson James, reiterated the concerns and cautioned cryptocurrency users to avoid interacting with any web-based dApp at this time. He went on to say:
“Dapps can be dangerous right now if you don’t know which libraries they use for their backends, and this isn’t going away.”