URGENT: It appears that the @ledgerhq/connect-kit package has been compromised and is distributing malicious versions. The package allows dApps to load Connect Kit at runtime from a CDN, but this approach is now considered extremely dangerous as it exposes all downstream dApps. Several projects have been affected, including wagmi and MetaMask SDK. The compromised versions range from 1.1.5 to 1.1.7. It is unclear whether frontends using earlier versions served malicious code, so developers are advised to wait for further instructions or upgrade immediately. Time is ticking, and clarity from Ledger is still awaited. This incident raises questions about the security of NPM and the potential impact on user funds.
https://github.com/LedgerHQ/connect-kit/issues/29