Security News > 2023 > December > Ledger dApp supply chain attack steals $600K from crypto wallets

Ledger is warnings users not to use web3 dApps after a supply chain attack on the 'Ledger dApp Connect Kit' library was found pushing a JavaScript wallet drainer that stole $600,000 in crypto and NFTs. Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
The company offers a library called the "Ledger dApps Connect Kit" that allows web3 apps to connect to Ledger hardware wallets.
Today, Ledger warns users that its Ledger Connect Kit was compromised to include malicious code and that all users should avoid using dApps for now.
"The attacker published a malicious version of the Ledger Connect Kit." Ledger told BleepingComputer.
Ledger has assured users that the core hardware and the main software application used for managing cryptocurrency assets have not been compromised or directly affected by this supply chain attack.
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.
News URL
Related news
- North Korea targets crypto developers via NPM supply chain attack (source)
- Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' (source)
- Google Play, Apple App Store apps caught stealing crypto wallets (source)
- Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign (source)
- Bybit Confirms Record-Breaking $1.5 Billion Crypto Heist in Sophisticated Cold Wallet Attack (source)
- GitVenom attacks abuse hundreds of GitHub repos to steal crypto (source)
- GrassCall malware campaign drains crypto wallets via fake job interviews (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)