Pages:
Author

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 3. (Read 599 times)

sr. member
Activity: 448
Merit: 688
In ₿ we trust
I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?
Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.
You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary?  I don't believe I have seen many sites using that lately?

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.
staff
Activity: 3500
Merit: 6152
What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary?  I don't believe I have seen many sites using that lately?
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?
Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.
You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.
sr. member
Activity: 448
Merit: 688
In ₿ we trust
The important thing now is not to interact with absolutely anything on chain until the problems are resolved.

again problems with the ledger. I use a ledger nano X and from now on I will consider getting a new hardwallet.
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?
hero member
Activity: 2212
Merit: 805
Top Crypto Casino
Apparently, Ledger is in the news again for the wrong reasons.

At first, SuchiSwap CTO (one of the leading DEXs) made a tweet about the suspected vulnerability.



The primary issue is that the Ledger ConnectKit NPM package Library that is used across majority of decentralized applications was updated few hours ago with malicious code (drainer):



How come?

It looks like the NPM key was leaked via a github action  which means Anyone can invoke the action via a PR on Ledger's GitHub Orgs, then leak that key by crafting a malicious package.json.




Right now, any user interacting with any and all Dapps could potentially be exposed to the vulnerability and end up losing all funds to drainers. According to my research so far, it doesn't include users who are just using Ledger for day-to-day transfers with no interactions and prior interactions before the vulnerability was disclosed appears to good.

Side note: This only shows how poorly the Ledger team takes security and their continued negligence of the security of their products and services.

Update #1: Ledger has confirmed the vulnerability report:
Quote
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised.
Pages:
Jump to: