https://twitter.com/zachxbt/status/1735292040986886648
https://twitter.com/paoloardoino/status/1735315976827101274
Abridged summary from Ledger themselves:
This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account.
The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.
Ledger's technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours.
The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use.
For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team on the NPM project are now read-only and can't directly push the NPM package for safety reasons.
We have internally rotated the secrets to publish on Ledger's GitHub.
Ledger, along with Walletconnect and our partners, have reported the bad actor's wallet address. The address is now visible on chainalysis
Tether_to has frozen the bad actor's USDT.
We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time.
We are filing a complaint and working with law enforcement on the investigation to find the attacker.
We're studying the exploit in order to avoid further attacks. We believe the attacker's address where the funds were drained is here: 0x658729879fca881d9526480b82ae00efc54b5c2d
Jump in the discussion.
No email address required.
Crypto is great. We don't need to test an ancap society in a real world, we can just check what's happening in crypto as a clue what it'll be like
Jump in the discussion.
No email address required.
Do you think the Fed's erection grows every time a crypto company comes running to them?
Jump in the discussion.
No email address required.
More options
Context
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
https://www.newyorker.com/humor/daily-shouts/l-p-d-libertarian-police-department
Jump in the discussion.
No email address required.
More options
Context
More options
Context