A registry breach could potentially affect the entire EVM ecosystem – Linea
An attack on the Ledger Connector library may be affecting the entire Ethereum Virtual Machine (EVM) ecosystem, according to the Linea team at Consensys zero knowledge aggregation.
The hacker targeted the Ledger connector library, which is designed to create connections between Ledger hardware wallets and various decentralized applications (DApps). Wallet provider MetaMask has been affected by the security incident.
For all Web3 users, this vulnerability appears to be affecting multiple apps across the entire EVM ecosystem. It is very dangerous to interact with any dapps unless the issue is properly resolved.
Good luck there! https://t.co/kFykLW4lWm
— Linea (@LineaBuild) December 14, 2023
According to a post on X (formerly Twitter), MetaMask has rolled out an update to fix the issue on its MetaMask portfolio. “Please make sure the Blockaid feature is turned on in the MetaMask Extension before making any transactions on the MetaMask portfolio,” the company warned on X.
Other affected protocols include Zapper, SushiSwap, Phantom, Balasser, and Revoke.cash. Blockchain security firm Sertic told Cointelegraph that any DApp that imports a CDN will automatically execute a decryption code that allows victims to connect to wallets they support.
Ledger is a popular hardware wallet used by many in the crypto community. Its connector library is a critical component that connects between Ledger hardware and various DApps. If this library gets corrupted, it can affect many EVM users and transactions.
The attack started after a former Ledger employee was phished and their NPMJS account compromised. “The attacker published a malicious version of the Ledger Connect Kit (versions 1.1.5, 1.1.6 and 1.1.7 affected). The malicious code used the rogue WalletConnect project to transfer funds to the hacker's wallet,” the company wrote. X.
A correction was released 40 minutes after the Ledger became aware of the issue. The company is warning users to wait 24 hours before using the Ledger Connect Kit again.
Final timeline and update to customers:
4:49 pm CET:
Ledger Connect Kit real version 1.1.8 is now automatically distributed. We recommend that you wait 24 hours before using the Ledger Connect Kit again.
The investigation continues, here's the timeline we know…
— Ledger (@Ledger) December 14, 2023
Blockchain analytics platform Lookonchain said the hacker stole about $484,000 in assets, but the impact of the security breach could be even greater, Leder said.
Magazine: 2 years after John McAfee's death, widow Janice is broken and needs answers.