Security News > 2023 > December > Ledger dApp supply chain attack steals $600K from crypto wallets
Ledger is warnings users not to use web3 dApps after a supply chain attack on the 'Ledger dApp Connect Kit' library was found pushing a JavaScript wallet drainer that stole $600,000 in crypto and NFTs. Ledger is a hardware wallet that lets users buy, manage, and securely store their digital assets offline, supporting multiple cryptocurrencies, including Bitcoin and Ethereum.
The company offers a library called the "Ledger dApps Connect Kit" that allows web3 apps to connect to Ledger hardware wallets.
Today, Ledger warns users that its Ledger Connect Kit was compromised to include malicious code and that all users should avoid using dApps for now.
"The attacker published a malicious version of the Ledger Connect Kit." Ledger told BleepingComputer.
Ledger has assured users that the core hardware and the main software application used for managing cryptocurrency assets have not been compromised or directly affected by this supply chain attack.
Fake Ledger Live app in Microsoft Store steals $768,000 in crypto.
News URL
Related news
- Polyfill.io JavaScript supply chain attack impacts over 100K sites (source)
- Plugins on WordPress.org backdoored in supply chain attack (source)
- Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack (source)
- Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks (source)
- 'Almost every Apple device' vulnerable to CocoaPods supply chain attack (source)
- Millions of Apple Applications Were Vulnerable to CocoaPods Supply Chain Attack (source)
- Ethereum mailing list breach exposes 35,000 to crypto draining attack (source)
- 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack (source)