Ledger recently identified and resolved a vulnerability issue in its Ledger Connect Kit library, resulting in an estimated loss of around $600,000.
Ledger, through a post on X, has stated that it identified, removed, and replaced a malicious version of the Ledger Connect Kit library. Additionally, it has advised users to temporarily avoid interacting with any dApps. Despite this, the company confirmed that neither Ledger devices nor the Ledger Live application were compromised by the discovered vulnerability.
As explained in a tweet by Hudson Jameson, Ledger devices remain secure: ‘The Ledger hardware wallet will not be “infected” by this virus. Those who may be affected are those interacting with an application on a website using malicious code to create pop-ups or fake options to manage their Ledger in the application (thus, they can steal cryptocurrencies).’
The vulnerability in question affects users who have interacted with dApps and Web3 applications in the last 3 hours. Ledger has summarized the sequence of events:
An estimate of losses
ZachXBT, a renowned on-chain transactions investigator, was one of the first to highlight the vulnerability, reporting an attempt to steal resources that could potentially have reached a worth of about $610,000.
