Multiple DApps using Ledger connector compromised

The front end of multiple decentralized applications (DApps) using Ledger’s connector, including Zapper, Sushiswap, and Revoke.cash, were compromised earlier on Dec. 14. 

SushiSwap chief technical officer Mathew Lilley reported that a commonly used Web3 connector has been compromised, allowing malicious code to be injected into numerous DApps. The on-chain analyst said that the Ledger library confirmed the compromise where the vulnerable code inserted the drainer account address.

RED ALERT :

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I’m Software (@MatthewLilley) December 14, 2023

Ledger connector is a library that is used by many DApps and maintained by Ledger. It has been compromised and a wallet drainer was added. The draining of funds from a user’s account might not happen on its own. However, prompts from your browser wallet (like MM) will display that give their assets to the malicious actors.

On-chain analysts warned users to avoid using any DApps using the Ledger connector while adding that the connect-kit-loader is also vulnerable at the moment.

seems like the Ledger’s @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q

— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023

This is a developing story, and further information will be added as it becomes available.