ledger-connect-kit
Ledger Connect Kit Supply Chain Attack
A former Ledger employee fell victim to a phishing attack, allowing attackers to access their NPM account and publish malicious versions of the @ledgerhq/connect-kit package. The payload contained a drainer that rerouted cryptocurrency funds to the attacker, affecting major dApps like SushiSwap and Revoke.cash.
- Date
- 2023-12-14
- Category
- Open Source
- Target Surface
- Package registry
- Insertion Phase
- distribution
- Impact
- Financial Exploitation
- Cause
- Compromised Account/Credentials
What Was Affected
Package
ledger-connect-kit
LanguageJavaScript
ComponentLibrary
Artifact typesource archive
Domain typepackage host
Domain
npmjs.com
Repository
github.com/LedgerHQ/connect-kit
Compromised Versions
Incident Context
- Motive
- Financial gain
- Attribution
- Third Party
- Transitive
- Yes
- User Impact
- 500000
- Observed Duration
- 0 days
External References
Source Data
Source record: oss/ledger-connect-kit/meta.yaml