区块链公司Ledger确认Library ConnectKit受损情况

区块链公司Ledger证实Library ConnectKit遭受损坏情况

硬件钱包提供商Ledger警告用户，由于其Library ConnectKit存在漏洞，不要使用其软件连接任何支持的分散应用（dApps）。

根据其X（以前称为Twitter）帐户分享的信息，已经发现并从后端移除了Library ConnectKit的恶意版本。

🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

• 加密鲸鱼们正在悄悄押注这个被忽视的人工智能加密宝石-打算出手？
• 批准钓鱼骗局呈“爆炸式增长”，仅今年一年就被盗近3.75亿美元
• 谷歌大幅降低Gemini AI模型的价格，向开发者开放

Your Ledger device and…

— Ledger (@Ledger) December 14, 2023

因此，强烈建议用户暂时不要与任何dApps进行交互。不过，Ledger向用户保证其Ledger设备和Ledger Live应用程序未受到恶意代码的影响。

一位名为@bantg的开发者首次发现了被破坏的Library ConnectKit，他表示Ledger软件的后端被注入了一个“drainer”。

🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv

— banteg (@bantg) December 14, 2023

据Blockaid称，黑客将“wallet-draining payload”注入了托管软件库的内容分发网络（CDN）。

关于如何添加恶意代码，Blockaid表示，黑客将“钱包排干有效负载注入了流行的NPM包”，导致使用1.14及以上版本的Ledger ConnectKit的dApps受到威胁。

🚨 We've detected a potential supply chain attack on ledgerconnect kit 🚨
The attacker injected a wallet draining payload into the popular NPM package.
This currently affects a couple of popular dapps including but not limited to https://t.co/2QJmKIGv9T

— Blockaid (@blockaid_) December 14, 2023

Sush的首席技术官（CTO）Matthew Lilley也透露，LedgerHQ/connectkit从CDN账户加载的JS已经被攻击。因此，恶意JS代码被注入多个DApp中。

No, LedgerHQ/connect-kit loads JS from a CDN, their CDN account has been compromised which is injecting malicious JS into multiple dApps.

— I'm Software 🦇🔊 (@MatthewLilley) December 14, 2023

RevokeCash和Kyber Network等区块链项目已经确认了此事件。RevokeCash暂时暂停了其网站以回应此问题，但已解决了这个问题，移除了受攻击的依赖项并重新开放了其网站。

⚠️⚠️⚠️⚠️⚠️⚠️
Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including https://t.co/MkINKOiX5N have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website…

— Revoke.cash (@RevokeCash) December 14, 2023

不过，该项目建议用户在今天剩余时间内不要将他们的加密钱包与任何区块链协议连接起来。

问题解决后仍不安全

Ledger协议已确认部署了正版软件，并正在积极努力消除其CDN服务中的钱包排干有效负载。

尽管有这些努力，行业专家仍建议加密货币用户在目前时段与任何基于Web3的解决方案进行交互时要保持谨慎。

Ethereum核心开发者Hudson Jameson解释说，如果任何加密货币用户访问与Ledger生态系统相关的众多dApps之一，类似Metamask的浏览器提示可能会泄露他们的加密钱包详细信息。

这种漏洞带来了资产受损的风险。为了减轻风险，强烈建议用户在更新发布之前不要与任何受影响的dApps进行交互。

Ledger Library Exploit Explainer for Average Folks

What is going on with the recent alerts not to use dapps?

A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.

What do I do as a normal user?

Do not interact with… https://t.co/exre0QfykD

— Hudson Jameson (@hudsonjameson) December 14, 2023

Jameson强调，即使恶意代码被移除，所有连接的dApp在被视为安全使用之前都必须更新其库。

We will continue to update 算娘; if you have any questions or suggestions, please contact us!