Ledger Connect Kit shipped wallet drainer
A phished former Ledger employee's npm session let attackers publish Connect Kit 1.1.5, 1.1.6, and 1.1.7. The browser payload rerouted EVM signing through a wallet drainer.
Story
Ledger disclosed the incident on 2023-12-20. A former employee had fallen for phishing, and the attacker reused the npm session token to publish new versions of @ledgerhq/connect-kit.
The malicious releases were published on 2023-12-14 at 09:49, 10:44, and 11:37 CET. The package was not just used by Ledger applications. Web3 dApps loaded it to connect wallets, so a compromised dependency could appear inside many unrelated front ends.
The injected code used a rogue WalletConnect project and Angel Drainer infrastructure to present transaction prompts. Users who signed the wrong transaction could drain their own signer. Ledger said active draining lasted less than two hours, though CDN caches kept the malicious file reachable longer.
Ledger shipped a clean replacement quickly and coordinated with WalletConnect to disable the rogue project. The attack was small in time and large in trust: a package update became a browser-side transaction attack against downstream dApp users.
Affected Artifacts
- Observed
- 2023-12-14
- Fixed
- 1.1.8
- Evidence
- distribution: npmjs.com/package/@ledgerhq/connect-kit, mirror: github.com/LedgerHQ/connect-kit, malware: Angel Drainer, observable: Rogue WalletConnect project rerouted EVM signing prompts to attacker-controlled wallets.
- Public loss estimates were reported in dollars rather than confirmed affected-user counts, so impact.users is left at zero.
Incident Context
- Motive
- Financial Gain
- Attribution
- Group
- Cause
- Compromised Account Credentials
- Transitive
- Yes
- Actor
- Third Party
External References
- Security Incident Reportledger.com
- Attack Report: Ledger Connect Kitblockaid.io
- Ledger dApp supply chain attack steals $600K from crypto walletsbleepingcomputer.com
Source record: oss/attacks/ledger-connect-kit/meta.yaml