[URGENT] This repository utilizing malicious version of npm package @ledgerhq/connect-kit, 1.1.7 #29
Comments
0xViva
changed the title
0xViva
changed the title
|
Looks like it's the NPM account that is compromised |
|
Yeah, looks like this. btw production build failed |
|
where are my apes |
|
guys i wanted to sell my bags but scared to connect my ledger what should i do |
You can buy module at combine.nfd.gg |
i clicked on this link where did my coins go?? |
If we are talking srsly, do nothing now, thats rly dangerous, wait bro |
|
What should we check for in repo to see if we are vulnerable ? This is my lock file |
https://www.npmjs.com/package/@ledgerhq/connect-kit?activeTab=versions |
This looks like an extremely dangerous approach now, if I understand it correctly, connect-kit-loader trusts whatever the CDN throws at your dApps. So when connect-kit is comprised, all downstream dApps are automatically exposed. Here is a list of affected downstream projects: https://sourcegraph.com/search?q=context:global+%40ledgerhq/connect-kit-loader&patternType=standard&sm=0&groupBy=repo Many familiar names there and I stopped scrolling after seeing wagmi and MetaMask SDK, so, lol. I wouldn't touch it with a barge pole. |
|
The code attempts to pull in some dependencies that appear to be hosted on an attack controlled domain: |
This is absolute INSANITY. They should be shamed. This is fucking nuts |
|
This issue can be closed now that the malicious source code has been removed with a new version release: https://github.com/LedgerHQ/connect-kit/releases/tag/ck-v1.1.8 cdn code looks updated, the vulnerability is contained: https://www.npmjs.com/package/@ledgerhq/connect-kit?activeTab=versions Team should consider merging this PR however so this can't happen again: |
|
Looks like taht 1.1.6 is also dariner It loads https://cdn.jsdelivr.net/npm/2e6d5f64604be31/2e6d5f64604be31.js it is a drainer 
|
did you find a wallet to where all monies drained? |
Looks like versions from 1.1.5 to 1.1.7 include maleware. |
Confirm 1.1.5 was drainer too 
|
Yes, .5/.6/.7 versions are compromised !! |
Yae : https://debank.com/profile/0x658729879fca881d9526480b82ae00efc54b5c2d |
Looks like my RainbowKit (via wagmi) projects were using connect-kit-loader which appears to arbitrarily load javascript in the browser from a CDN which includes compromised code. |
That is how I read it. Anybody who used any version in a certain time period is potentially compromised. |
|
Something I'm still unclear on that it would be great to get some clarity on is whether the fact the CDN was compromised—and the package was apparently loading code from CDN (good grief!)—means that frontends using the pre-compromised versions are safe or not. I.e. was a frontend that is using version |
Seems to me the CDN was definitely compromised. So whatever -loader version you were running seems irrelevant. What a serious mis-step. |
|
WTF |
|
|
From what I can tell you are looking for connect-kit-loader. If you have any version of that it was loading arbitrary code from a CDN that was temporarily compromised earlier today. |
|
Is the CDN file fixed already? |
heres the chore: a4ba694 |
|
It seems weird that this issue, which might have existed in previous versions, has only now been reported, especially given its potential impact on user funds. Why wasn't this exploit used before? |
Seems like they gained access to npm which pushed out some new versions that got hosted on CDN. |
|
I concur @misterjame. It would be amazing to be able to warn my community with exactly what the time frame is. I could warn them, "If you have used your Ledger to interact with any of these projects {list of projects} from {start date} through Dec 14, 2023, you should consider that wallet compromised." The best list of projects I see so far is what @HenryQW shared: https://sourcegraph.com/search?q=context:global+%40ledgerhq/connect-kit-loader&patternType=standard&sm=0&groupBy=repo |
Some of them use fixed versions, which may have "saved" them if the exploit was introduced later. |
|
Time is ticking by and afaik there has still not been a clear statement from Ledger for dapp devs to know if our frontends were impacted and what, if any, actions are required to rectify the issue. How is that possible? Could we please get a clear statement on the right course of action? |
|
|
|
Would make sense to leave an official statement here as well |
|
The latest official statement on Twitter helps but still doesn't answer clearly what I consider the most important questions for dapp devs:
|
|
Thanks @AdamK222 for pointing to the announcement on Twitter. Do I understand this correctly: The fix is out, but because of the potential for client side caching, it is best to clear cache and wait until tomorrow before using Ledger to interact with a project. The fix is out because it is being loaded via a CDN. The effected projects don't need to do anything, however it is still a good idea for them to update to the latest version of @ledgerhq/connect-kit, 1.1.8. |
Not exactly, it depends how the dependency was bundled in the project. Most of the time, a given version is bundled into the project's code, so to be safe the project needs to update its dependency version to latest and rebuild/deploy. |
|
The CDN thing is kind of horrible from a security perspective. With apps like this the typical approach would be to have every dependency frozen and third-party deps scrutinized. In this case there's something interesting though that might have helped: the idea of including a hash of remote content to fetch. If your front-end code remains in-tact because its on another delivery mechanism but you're including CDN content. You can embed the file's hash and discard any data that's been changed. Apparently the mechanism is implemented in most browsers now already. It's called 'subresource integrity.' More info here - https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity Could help harden against similar attacks in the future. I always find it funny that many of these blockchain projects don't actually use much crypto. |
|
I may miss something here, but could anybody educate me why this occurs, I guess there is code review, right? |
|
@DoctorLai the ccode here is fine, but the packaged built on the code was modified on npm, where all the other projects pull their dependencies from. |
Most of these could be insulated from each other if freezing was used, credentials were cycled and proper OPSEC was used. But you put all 4 togeather and it looks to have lead to a 5 hour exploit on many wallets who included dependencies on |
|
maybe have 2 user authentication for pushes ? or devel that ? maybe basic security training for ledger employes ./.... how can i security company fall for basic phish tactics... out of this world... going to ngrave instead |
|
I believe using a signature for each version is a good idea to avoid similar things. verify resource before loaded |
|
hilarious how decentralisation was founded with one of the core principles being to AVOID bullshit like this. Using a weak CDN to serve extremely sensitive code, jfc @LedgerHQ wtf are you doing? Incredibly stupid. |
|
Thanks to everyone for providing feedback. We just merged version 1.1.8 of the connect-kit-loader that is tethered to version 1.1.8 of the connect-kit. From here, we'll now deprecate the connect-kit-loader and advise developers to setup connect-kit manually from npm. Future versions of connect-kit won't be accessible from the loader. |
|
Why don't use integrity attribute of script element https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity ? |
|
So we can't use any kind of version of @ledgerhq/connect-kit-loader module? then what is the safest and best way to connect ledger wallet? |
|
thanks just sold my ledger |
and others
https://www.npmjs.com/package/@ledgerhq/connect-kit?activeTab=versions
1.1.7 is a recent update with suspicious source code.
https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1:
https://twitter.com/bantg/status/1735279127752540465
source code gets loaded/used here:
https://github.com/LedgerHQ/connect-kit/blob/main/packages/connect-kit-loader/src/index.ts#L83C49-L83C68
The text was updated successfully, but these errors were encountered: