Ledger has released the latest update on the vulnerability on the X platform, stating that the genuine and validated Ledger Connect Kit version 1.1.8 has now been spread and can be safely used. For builders who are developing Ledger Connect Kit code and interacting with it: the connect-kit development team on the NPM project is now read-only and cannot directly push NPM packages for security reasons.

In addition, malicious code uses the rogue WalletConnect project to reroute funds to hacker wallets. -Ledger's technical and security teams received alerts and deployed fixes within 40 minutes of Ledger's awareness. The survival time of this malicious file is about 5 hours, but the time window for funds to be depleted is less than two hours.

The team is filing complaints and working with law enforcement to investigate and find the attacker, and is studying the vulnerability to avoid further attacks.