Hardware wallet maker Ledger has warned its users against connecting to decentralized applications (dapps), following the identification of a malicious version of the Ledger Connect Kit.
A Ledger spokesperson said it had identified and removed a malicious version of the Ledger Connect Kit.
The malicious file is currently being replaced with an original copy. He advised against interacting with any decentralized applications at present.
The spokesperson added that Ledger devices and the Ledger Live app were not compromised and that the company will continue to inform users of developments in the situation.
The developers of the MetaMask wallet also warned users to stop using decentralized applications immediately after news of the attack circulated.
The hacked version of the package was first identified by developers who posted it on Twitter. Connect Kit, a library that enables Ledger’s electronic wallet to connect to decentralized applications (DApps).
The Ledger Connect Kit library is a collection of technical tools developed by Ledger. Designed to facilitate communication between Ledger e-wallets and decentralized applications (DApps).
It is best to stop using DApps for now
The attacker injected wallet-dumping malware into the ledgerconnect suite’s NPM stack, security firm Web3 BlockAid reported, adding that DApps using versions 1.1.4 and above of the Ledgerconnect suite, including Sushi.com and Hey.xyz, were affected.
Matthew Lilley, CTO of SushiSwap, also criticized Ledger for making a series of critical mistakes. He explained that the commonly used web3 connector had been hacked, allowing the introduction of malicious code that affected many decentralized applications.
He added that users should avoid using any decentralized applications until their team confirms that they have been able to mitigate the attack.
A representative of Ethereum developers, Hudson Jameson, said that a library used by many DApps managed by Ledger was hacked, and a malicious program was added to empty wallets (take money from them).
He reiterated that currently using DApps is considered risky if you don’t understand the back-end libraries they use.
Jameson added that even after Ledger fixes bad code in its library, projects that use and deploy that library must update things before it’s safe to use DApps that use Ledger’s web3 libraries.
Ledger’s past problems with security breaches
Ledger has faced criticism in recent months over its security measures. The company’s voluntary ID-based recovery service has angered cryptocurrency users.
The service, which is unrelated to today’s attack, splits a user’s seed phrase and stores it with three separate custodians. Requiring the user to provide his passport or national ID card as proof.
And with angry users leaving the service. Eric Larchevec, co-founder of Ledger, described it. The service is pitched as a complete public relations failure, but it is by no means a technical failure.
A seed phrase is a string of random words that are used to restore and use a cryptocurrency wallet if it loses access to it or needs data recovery.
These words are usually 12 or 24 words long and are generated randomly when you set up a new cryptocurrency wallet.
In November, a fake Ledger app on the Microsoft App Store stole nearly $1 million from customers.
The company faced criticism in 2020 after a customer database was hacked on email. As a result, more than a million user emails were compromised.