Safety is of paramount importance to the cLabs team. We wanted to draw your attention to the recent announcement by Ledger of a vulnerability in recent versions of the Ledger
connect-kit library due to an attacker inserting malicious code.
This affects web and mobile app frontends built using a range of libraries on EVM chains including Ethereum and Celo. The malicious code, added only today, could cause frontends to prompt users to sign malicious transactions.
We strongly urge all users to exercise caution and refrain from interacting with any web- or mobile-based dapp frontends until the teams responsible for them confirm it is safe to do so.
The Celo blockchain itself is not affected, only dapp frontends built using the affected library are.
The cLabs team has verified the safety of two crucial NPM packages:
@celo/celocli. Users can confidently continue utilizing these packages without concern for the recently discovered vulnerability.
However, we have identified a potential security risk for all frontends built using
@celo/rainbowkit-celo. This vulnerability stems from the transitive dependency on
@ledgerhq/connect-kit-loader, which is linked to the compromised library
The dependency chain is as follows:
We strongly advise all developers to upgrade to @firstname.lastname@example.org or higher immediately. This version incorporates a critical patch from @email@example.com, effectively removing the compromised ledger library and securing your frontend.
If you have questions, need assistance, or have a particularly sensitive issue, please reach out to firstname.lastname@example.org.