Security News > 2023 > December > Ledger dApp supply chain attack steals $600K from crypto wallets
Ledger is warnings users not to use web3 dApps after a supply chain attack on the 'Ledger dApp Connect Kit' library was found pushing a JavaScript wallet drainer that stole $600,000 in crypto and NFTs. Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
The company offers a library called the "Ledger dApps Connect Kit" that allows web3 apps to connect to Ledger hardware wallets.
Today, Ledger warns users that its Ledger Connect Kit was compromised to include malicious code and that all users should avoid using dApps for now.
"The attacker published a malicious version of the Ledger Connect Kit." Ledger told BleepingComputer.
Ledger has assured users that the core hardware and the main software application used for managing cryptocurrency assets have not been compromised or directly affected by this supply chain attack.
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.
News URL
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- It's only a matter of time before LLMs jump start supply-chain attacks (source)
- New Web3 attack exploits transaction simulations to steal crypto (source)
- Decentralization is happening everywhere, so why are crypto wallets “walled gardens”? (source)
- PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack (source)
- IPany VPN breached in supply-chain attack to push custom malware (source)
- Supply chain attack hits Chrome extensions, could expose millions (source)
- Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' (source)
- Google Play, Apple App Store apps caught stealing crypto wallets (source)
- Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign (source)