It has been just revealed the fact that the Ledger hardware wallet is revealing a critical security vulnerability. Check out the latest reports about this below.
Ledger announces critical vulnerability
Ledger has issued a warning to its users about a significant exploit. It is urging them to temporarily stop their interaction with decentralized applications (DApps) through their hardware wallets.
In a recent post on the social media platform X, Ledger stated that it has identified and replaced a harmful version of its connect kit – a code used to link hardware wallets to DApps.
“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any DApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.”
Ledger, a hardware wallet manufacturer, discovered a security breach after a former employee fell victim to a phishing scam, which led to the loss of access to their NPMJS account.
NPMJS is a website used by developers to create code and applications.
The bad actor behind the phishing scam uploaded a malicious version of Ledger’s connect kit, which rerouted funds from users to the hacker’s wallet.
However, Ledger was able to address this issue within five hours of it going live.
Afterwards, Ledger reported the hacker’s address, which prompted Tether, a stablecoin issuer, to freeze the hacker’s stash of USDT.
“This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. The attacker published a malicious version of the Ledger Connect Kit. The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.
Ledger’s technology and security teams were alerted, and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around five hours, however, we believe the window where funds were drained was limited to a period of less than two hours…”
The notes continued and said the following as reported by the online publication the Daily Hodl:
“The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use. Ledger, along with Walletconnect and our partners, have reported the bad actor’s wallet address. The address is now visible on Chainalysis. Tether has frozen the bad actor’s USDT.”
Lookonchain stated the fact that the hacker managed to steal about $484,000 worth of digital assets from Ledger.