Malicious Code Found in Recent Update of @ledgerhq/connect-kit NPM Package
In a concerning development for the cryptocurrency community, a recent update to the @ledgerhq/connect-kit NPM package, specifically version 1.1.7, has been flagged for containing suspicious and potentially malicious source code. This discovery has raised alarms about the security of digital assets and the integrity of tools used for their management.
The issue first came to light when users noticed unusual behavior in version 1.1.7 of the package, which is widely used in decentralized applications (dApps) for wallet interaction. Investigations revealed that the source code loaded from the Content Delivery Network (CDN) URL cdn.jsdelivr.net/npm/@ledgerhq/[email protected] was compromised, leading to potential vulnerabilities.
Twitter user @bantg and others in the community quickly identified and reported the issue. The compromised code, as seen in the repository at github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L83C49-L83C68, raised concerns over the package's reliability and safety.
Subsequent discussions on GitHub revealed that multiple versions of the package, including 1.1.5 and 1.1.6, contained similar vulnerabilities. Users reported instances of lost funds and compromised wallets, particularly when interacting with suspicious links like combine.nfd.gg.
Experts pointed out that the method of loading Connect Kit at runtime from a CDN, as implemented in the connect-kit-loader, posed a significant risk. This approach made all downstream dApps vulnerable to any compromise of the connect-kit package. Users of popular platforms like wagmi and MetaMask SDK were potentially affected.
In response to the crisis, LedgerHQ released a new version, 1.1.8, addressing the vulnerabilities and updating the CDN code. However, concerns remain about the broader implications of such incidents on the security practices within the cryptocurrency ecosystem.
The discovery of malicious code in a widely-used package like @ledgerhq/connect-kit serves as a stark reminder of the persistent security challenges in the digital asset space. Developers and users alike are urged to exercise caution and stay vigilant, especially when dealing with wallet integrations and software updates.
References:
npmjs.com/package/@ledgerhq/connect-kit
twitter.com/bantg/status/1735279127752540465
github.com/LedgerHQ/connect-kit
