IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 3.

criptoevangelista

full member

Activity: 238

Merit: 494

Siga sempre em frente! always move forward!

Quote from: rhomelmabini on December 14, 2023, 09:56:28 AM

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

I would switch to a secure wallet so I don't have to worry about this anymore.

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: OmegaStarScream on December 14, 2023, 09:56:46 AM

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary? I don't believe I have seen many sites using that lately?

The Library is used by various dapps for their "Connect Wallet" modal that users can click to connect their wallets to these dapps in other to facilitate interactions. One of the libraries (Ledger's ConnectKit) that is used in most frontends was compromised.

The issue mainly affects users that uses frontends for interactions.

OmegaStarScream

staff

Activity: 3402

Merit: 6065

What does this really mean though? Is this the library used by dapps to allow users to connect directly to the Ledger, instead of using MetaMask as an intermediary? I don't believe I have seen many sites using that lately?

rhomelmabini

hero member

Activity: 2002

Merit: 578

Quote from: nelson4lov on December 14, 2023, 09:48:42 AM

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

You mean if I didn't signed anything like the "signed message" that we see on our wallet? I think I did, because I was on the right site of revoke.cash but then suddenly it goes for another site and it asks to login with my GitHub etc., monitoring my wallet but nothing is happening at the moment, do I have to move anything then?

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Quote from: rhomelmabini on December 14, 2023, 09:46:00 AM

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

Imo, As long as you didn't sign any of the prompts, you should be good to good. Unless you signed any message or interactions with your signature, you should be good to go. But still, remain vigilant till we have a full report.

criptoevangelista

full member

Activity: 238

Merit: 494

Siga sempre em frente! always move forward!

The important thing now is not to interact with absolutely anything on chain until the problems are resolved.

again problems with the ledger. I use a ledger nano X and from now on I will consider getting a new hardwallet.

rhomelmabini

hero member

Activity: 2002

Merit: 578

I don't know if I'll be affected on it but when I saw the news I definitely run to revoke.cash and definitely I get to signed there but then suddenly it goes with another website so I closed it like "Vercel" or something, can't remember. Do I have to worry for that?

nelson4lov

hero member

Activity: 2030

Merit: 789

Top Crypto Casino

Apparently, Ledger is in the news again for the wrong reasons.

At first, SuchiSwap CTO (one of the leading DEXs) made a tweet about the suspected vulnerability.

The primary issue is that the Ledger ConnectKit NPM package Library that is used across majority of decentralized applications was updated few hours ago with malicious code (drainer):

How come?

It looks like the NPM key was leaked via a github action which means Anyone can invoke the action via a PR on Ledger's GitHub Orgs, then leak that key by crafting a malicious package.json.

Right now, any user interacting with any and all Dapps could potentially be exposed to the vulnerability and end up losing all funds to drainers. According to my research so far, it doesn't include users who are just using Ledger for day-to-day transfers with no interactions and prior interactions before the vulnerability was disclosed appears to good.

Side note: This only shows how poorly the Ledger team takes security and their continued negligence of the security of their products and services.

Update #1: Ledger has confirmed the vulnerability report:

Quote

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and Ledger Live were not compromised.

Topic: IMPORTANT: Ledger ConnectKit Library has been Compromised with a drainer. - page 3. (Read 523 times)