Ledger patched a vulnerable library in their Connect Kit today. Summary from someone on Elons app: 1. They are loading JS from a CDN. 2. They are not version locking loaded JS. 3. They had their CDN compromised.