Security News > 2023 > December > Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned

Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned
2023-12-16 00:13

Cryptocurrency wallet maker Ledger says someone slipped malicious code into one of its JavaScript libraries to steal more than half a million dollars from victims.

The library in question is Connect Kit, which allows DApps - decentralized software applications - to connect to and use people's Ledger hardware wallets.

"The attacker published a malicious version of the Ledger Connect Kit," said Gauthier.

Kalis pointed out that Ledger distributes Connect Kit through a content delivery network, which means that developers cannot pin the library - limit it to a specific version.

Kalis accepted some of the blame by acknowledging that while Ledger should not have published its library in a way that did not support dependency pinning, Revoke.

Kalis says the only answer as he sees it is for victims to seek reimbursement for losses from Ledger, adding, "It is currently unclear if Ledger plans to do this."


News URL

https://go.theregister.com/feed/www.theregister.com/2023/12/16/ledger_crypto_conect_kit/