Ledger connect supply chain attack

Blockaid found that a potential supply chain attack on ledgerconnect kit and the attacker injected a wallet draining payload into the popular NPM package. This currently affects a couple of popular dapps including Hey and many others. The Zapper and Sushi frontend has been hijacked. — link

Slowmist: A module of Ledger was hijacked and tampered with by the supply chain. It is possible that many DApps rely on Ledger’s poisoned library ledgerhq/connect-kit. Be wary of all DApp-related operations and pay attention to whether the request information to be signed by the wallet is expected.

Sushi CTO: ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don't use ANY dApps until further notice. This isn't a single isolated attack, it's a large-scale attack on multiple dApps. The Ledger dApps Connect Kit enables developers to connect their dApps to Ledger hardware wallets using the Ledger Extension or Ledger Live.

Ledger: We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.