According to Decrypt, crypto hardware wallet manufacturer Ledger confirmed that a former employee caused a vulnerability due to a phishing attack. The attacker gained access to the former employee's NPMJS account through a phishing attack and then pushed a malicious version of the Ledger Connect Kit. The affected Connect Kit versions are 1.1.5, 1.1.6, and 1.1.7, which have been removed from Ledger's NPM page.
Ledger said that it has pushed a new version of Connect Kit (1.1.8) and users can use it safely, but it is recommended to wait 24 hours and clear the browser cache.