"The @ledgerhq/connect-kit-loader allows dApps to load Connect Kit at runtime from a CDN so that we can improve the logic and UI without users having to wait for wallet libraries and dApps updating package versions and releasing new builds."

This looks like an extremely dangerous approach now. Connect-kit-loader trusts whatever the CDN throws at your dApps. So when connect-kit is comprised, all downstream dApps are automatically exposed.

Here is a list of affected downstream projects: https://sourcegraph.com/search?q=context:global+%40ledgerhq/connect-kit-loader&patternType=standard&sm=0&groupBy=repo

Many familiar names there and I stopped scrolling after seeing wagmi and MetaMask SDK.

Also, revoke.cash is compromised.

https://nitter.net/RevokeCash/status/1735282669808717958?t=bnVdCMZlMyAkuuTaFokaaA

@k00b @DarthCoin @supertestnet @grayruby @Onions @ekzyis