Security News > 2023 > December > Ledger dApp supply chain attack steals $600K from crypto wallets
Ledger is warnings users not to use web3 dApps after a supply chain attack on the 'Ledger dApp Connect Kit' library was found pushing a JavaScript wallet drainer that stole $600,000 in crypto and NFTs. Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
The company offers a library called the "Ledger dApps Connect Kit" that allows web3 apps to connect to Ledger hardware wallets.
Today, Ledger warns users that its Ledger Connect Kit was compromised to include malicious code and that all users should avoid using dApps for now.
"The attacker published a malicious version of the Ledger Connect Kit." Ledger told BleepingComputer.
Ledger has assured users that the core hardware and the main software application used for managing cryptocurrency assets have not been compromised or directly affected by this supply chain attack.
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.
News URL
Related news
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Hackers target AI and crypto as software supply chain risks grow (source)
- Microsoft Warns of StilachiRAT: A Stealthy RAT Targeting Credentials and Crypto Wallets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)