Slow Fog: Dapps using Ledger Connect Kit version 1.1.4 and above are affected, please pay attention to the investigation

ChainCatcher message, SlowMist Security Threat Intelligence discovered that @ledgerhq/connect-kit has suffered a supply chain attack, where the attacker implanted malicious JS code in versions of @ledgerhq/connect-kit >1.1.4 to launch phishing attacks against cryptocurrency users. Dapps using @ledgerhq/connect-kit version >1.1.4 are all affected, please check if the following affected versions are used in your code.

Affected version range:

@ledgerhq/connect-kit 1.1.5 (the attacker left a message in the code)

@ledgerhq/connect-kit 1.1.6 (the attacker left a message in the code and implanted malicious JS code)

@ledgerhq/connect-kit 1.1.7 (the attacker left a message in the code and implanted malicious JS code)

The SlowMist Security Team recommends exercising caution when interacting with DApps until an official fix is clearly provided.