-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
3 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where is the fix?
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@npomfret
This commit is just for start a new GitHub build that will pull the new code from here
connect-kit/packages/connect-kit-loader/src/index.ts
Line 83 in e4e5f5b
The compromised code is in version 1.1.7: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.7
The fixed code is in 1.1.8: https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.8
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I have any chance of getting my device compromised by opening those links?
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@natonamco no, it doesn't execute code
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wow what a quality fix
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this code opensourced?
a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The versioning in the commits history doesn't match with any 1.1.7 and I can't find
minimalDrainValue
(from the alleged compromised source) when I search globally in this repo. Doesn't look open sourced or this portion might have been deleted(?)a4ba694
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Malicious code was deployed directly to npm, github was not affected.