Inside the Ledger Connect Kit Supply Chain Attack: How a Compromised NPM Package Drained $484K From DeFi Users

The cryptocurrency security landscape faced a stark reminder of supply chain vulnerabilities on December 14, 2023, when Ledger’s widely-used Connect Kit library was compromised through a sophisticated attack on the Node Package Manager (NPM) ecosystem. The breach, which saw approximately $484,000 drained from user wallets, exposed critical weaknesses in how decentralized applications rely on third-party code dependencies.

The Exploit Mechanics

The attack vector was elegantly simple in its execution yet devastating in its impact. A threat actor gained unauthorized access to Ledger’s NPM publishing credentials and pushed a malicious version of the @ledgerhq/connect-kit package. This compromised library contained code that injected a rogue WalletConnect implementation, silently redirecting cryptocurrency transactions from legitimate wallet connections to an attacker-controlled address.

What made this attack particularly insidious was the trust model it exploited. Ledger’s Connect Kit serves as a fundamental bridge between decentralized applications and hardware wallets, used by major DeFi protocols including Sushi, Lido, MetaMask, and Coinbase Wallet. When users interacted with any dApp utilizing this library, they were unknowingly exposing their assets to the malicious redirect.

The compromised package was live for approximately five hours, though the active window during which funds were drained appears to have been limited to less than two hours. Ledger’s technology and security teams deployed a fix within 40 minutes of becoming aware of the breach, releasing a genuine version 1.1.8 of the Connect Kit.

Affected Systems

The blast radius of this supply chain attack extended far beyond Ledger’s own ecosystem. Because the Connect Kit is embedded across hundreds of decentralized applications, the malicious code propagated automatically to any dApp that pulled the latest NPM package. Services like revoke.cash, which users typically visit to revoke malicious token approvals, were themselves compromised, creating a particularly dangerous feedback loop.

Users who connected their wallets to affected dApps during the vulnerability window had their transactions redirected to the attacker’s wallet. The nature of the exploit meant that any asset held in a connected wallet was potentially at risk, not just the specific tokens being transacted.

Blockchain security firm Blockaid identified that the attack was potentially linked to a former Ledger employee, raising serious questions about internal access controls and credential management. The incident highlighted how even hardware wallet manufacturers, whose primary value proposition is security, can become vectors for attacks when their software supply chain is compromised.

The Mitigation Strategy

Ledger’s response involved multiple coordinated steps. The company removed the malicious version from NPM, pushed the genuine update, and issued urgent advisories across social media channels. However, the fix required each individual dApp to manually update their library versions, a process that took considerably longer than the initial patch deployment.

Blockaid CEO Ido Ben-Natan emphasized that all protocols utilizing Ledger’s Connect Kit needed to perform manual updates of their library versions to ensure complete security. This manual requirement significantly extended the window of vulnerability beyond Ledger’s own 40-minute response time.

For users, the immediate mitigation was straightforward: avoid interacting with any decentralized applications until the affected protocols confirmed they had updated their Ledger Connect Kit dependencies. Hardware wallet users who did not connect to any dApps during the vulnerability window remained safe, as the attack only affected software interactions.

Lessons Learned

The Ledger Connect Kit incident revealed several critical vulnerabilities in the DeFi ecosystem’s approach to software dependencies. First, the centralized nature of NPM package publishing creates a single point of failure that can be exploited through credential compromise. Second, the automatic propagation of updates means a single malicious package can affect hundreds of applications simultaneously.

The attack also demonstrated the paradox of security in the crypto space: even companies whose entire brand is built on security can inadvertently expose their users to risk through software supply chain vulnerabilities. As Bitcoin traded around $41,930 and Ethereum hovered near $2,219 on December 15, the broader market’s downward trend of 2-4% was compounded by the anxiety this breach generated among DeFi users.

User Action Required

If you connected your wallet to any decentralized application between December 14 and December 15, 2023, you should immediately review your wallet’s transaction history for unauthorized transfers. Revoke all token approvals granted during this period using a verified, updated version of token revocation tools. Consider using a fresh wallet address for future DeFi interactions if you suspect exposure. Hardware wallet users should verify that their device firmware is up to date and that they are using the latest version of Ledger Live. Moving forward, users should exercise caution when connecting wallets to dApps in the immediate aftermath of any reported supply chain compromise, and wait for explicit confirmation from protocol teams that they have updated affected dependencies.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding cryptocurrency protection strategies.