Malicious Package Affecting @ledgerhq/connect-kit package, versions >1.1.4 <1.1.8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-LEDGERHQCONNECTKIT-6127404
- published 15 Dec 2023
- disclosed 14 Dec 2023
- credit Unknown
How to fix?
Avoid using all malicious instances of the @ledgerhq/connect-kit
package.
Overview
@ledgerhq/connect-kit is a malicious package. This package contains obfuscated crypto drainer code. This is a type of malware that executes unauthorized cryptocurrency transactions to transfer assets to attacker-controlled wallets.
Note:
To interface with Ledger's browser extension, decentralized application frontends (dApps) include a code snippet from Ledger, executed via a connect-kit-loader proxy. This proxy dynamically fetches and executes the latest version of connect-kit from npm. Hence, once the malicious versions were published to npm, any dApp using the official connect-kit-loader would inadvertently pull a malicious version when the user selected the Ledger Wallet Provider.