The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, Sushiswap, and Revoke.cash, were compromised earlier on Dec. 14.
SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said that the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.
RED ALERT :
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I’m Software (@MatthewLilley) December 14, 2023
Ledger connector is a library that is used by many DApps and maintained by Ledger. It has been compromised and a wallet drainer was added. The draining of funds from a user’s account might not happen on its own. However, prompts from your browser wallet (like MM) will display that give their assets to the malicious actors.
On-chain analysts warned users to avoid using any DApps using the Ledger connector while adding that the connect-kit-loader is also vulnerable at the moment.
seems like the Ledger’s @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023
This is a developing story, and further information will be added as it becomes available.
Source: https://cointelegraph.com/news/multiple-dapps-using-ledger-connector-compromised
