Crypto giant Ledger on December 14 warned users not to interact with decentralized web3 apps over concerns of a supply chain attack.
The company discovered that the attack on the 'Ledger dApp Connect Kit' library caused a JavaScript wallet drainer.
Ledger has since confirmed that it was the victim of a phishing attack and that the flaw has been fixed, allowing users to continue using the Ledger Connect Kit
Crypto attack could have been prevented
Ledger confirmed at 4:49 PM CET via a post on X that a former employee had fallen victim to a phishing attack that compromised his NPMJS account. The attacker used the compromised account to publish a malicious version of the Ledger Connect Kit, which used a rogue WalletConnect project to route funds to the hacker's wallet.
Crypto researcher ZachXBT posted X that more than $610,000 was stolen during the attack.
Ledger said the malicious file, which affected versions 1.1.5, 1.1.6 and 1.1.7, was live for about five hours, but the draining took place over a shorter period of about two hours. A fix was released within 40 minutes of Ledger becoming aware of this and the company has since confirmed that Ledger Connect Kit 1.1.8 is now fully distributed and users can continue as normal.
Ledger also reported the attacker's wallet address and frozen his USDT along with Tether.
Pascal Gauthier, CEO of Ledger, has also commented on the incident, stating that the “unfortunate isolated incident” serves as a “reminder that security is not static” and that Ledger, and any other company, must continually improve their security.
Gauthier added: “Ledger will support affected users in finding this bad actor, bringing them to justice, tracing the funds and working with law enforcement authorities to recover stolen assets from the hacker.”