Ledger, a leading hardware wallet manufacturer, has issued an urgent fix after discovering a compromised version of its Ledger Connect Kit library. The compromised library is used by popular services like MetaMask, Coinbase, and Lido to connect to hardware wallets. The compromise resulted from a phishing attack on a former Ledger employee, leading to the publication of a malicious file that drained users’ wallets.

To address the issue, Ledger has automatically distributed a secure version of the Ledger Connect Kit (version 1.1.8) to users. However, as a precaution, Ledger has advised users not to connect to or use any decentralized applications (dApps) for the next 24 hours.

The compromise was publicly identified by Matthew Lilley, CTO of the decentralized exchange Sushi, prompting MetaMask and other web3 services to push updates and announce whether they were affected. Ledger deployed a fix within 40 minutes of becoming aware of the issue, and the window where funds were drained was limited to less than two hours, according to Ledger’s timeline of events.

Ledger recommends users employ Clear Signing, their simple-language transaction signing method, to help prevent future attacks. Users are also advised to use an additional Ledger mint wallet if they need to Blind Sign any transactions. Ledger is actively communicating with affected customers to provide assistance and support during this time. Users are encouraged to check for the most recent information from the services they use before connecting their wallets to dApps.