1101 sats \ 7 replies \ @elysia 14 Dec 2023 \ on: Alert: ledger library confirmed compromised and replaced with a drainer. privacy
"The @ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds."
This looks like an extremely dangerous approach now. Connect-kit-loader trusts whatever the CDN throws at your dApps. So when connect-kit is comprised, all downstream dApps are automatically exposed.
Here is a list of affected downstream projects: https://sourcegraph.com/search?q=context:global+%40ledgerhq/connect-kit-loader&patternType=standard&sm=0&groupBy=repo
Many familiar names there and I stopped scrolling after seeing wagmi and MetaMask SDK.
Also, revoke.cash is compromised.
https://nitter.net/RevokeCash/status/1735282669808717958?t=bnVdCMZlMyAkuuTaFokaaA
@k00b @DarthCoin @supertestnet @grayruby @Onions @ekzyis
write
preview
220 sats \ 2 replies \ @Zepasta 14 Dec 2023
deleted by author
reply
21 sats \ 1 reply \ @Bullen 15 Dec 2023
The maxis were right again.
reply
0 sats \ 0 replies \ @Zepasta 15 Dec 2023
deleted by author
reply
0 sats \ 0 replies \ @ek 14 Dec 2023
need to look into this when i have time but
Connect-kit-loader trusts whatever the CDN throws at your dApps.
sounds like this doesn't affect us? since we're not a dApp?
reply
0 sats \ 2 replies \ @ek 14 Dec 2023
deleted by author
reply
0 sats \ 1 reply \ @ek 14 Dec 2023
oh sorry, thought you are someone else, lol
similar nym
reply
0 sats \ 0 replies \ @elysia 14 Dec 2023
lol np
reply