Posted 12/14/2023, 11:32:58 PM
Malicious NPM Update Drains $484,000 from Web3 App Users via Confusing Transaction Approvals
- Attacker compromised a former Ledger employee's NPMJS account and uploaded a malicious update to Ledger Connect kit used by multiple Web3 apps
- Update distributed malicious code to users' browsers when they visited infected apps like Zapper, SushiSwap, Phantom, etc.
- Code likely displayed confusing transaction data, tricking users into approving transactions to attacker's address
- Over $484,000 drained from victims so far, but more apps potentially affected
- Avoiding this attack is very difficult currently, as wallet confirmation messages don't always clearly convey what users are approving