Hi guys,

I posted this topic 2 weeks ago in the Ledger subreddit and created a support ticket with Ledger, but they came back to me saying that they can't find an issue/replicate my problem so I'm trying again here.
I someone would be able to replicate this bug I would be extremely grateful, as i'm at a loss here ...

So, I used Electrum wallet (installed as described here: https://support.ledger.com/hc/en-us/articles/115005161925) with Ledger Nano S.
Electrum: version 3.3.8
Ledger Nano S firmware: 1.6.0
Bitcoin app 1.3.16.
OS: Windows 10 Pro 1903

I created a transaction and pressed "Send". The details of the transaction appeared on my ledger device, I checked them and then validated the transaction (first screen was Output #1 or #2, correct amount, correct destination, "Validate", then second screen with the correct fees and "Accept").

The transaction was sent correctly (2 outputs - one recipient one change).

The problem: At the same time with the correct transaction, another transaction got generated - my biggest UTXO was sent in full towards an address not controlled by me (the address had no transactions in it and the coins didn't move since).

Please note that there are still other bitcoins on my wallet which weren't moved so i doubt my seed was compromised (both on the subwallet which contained the "stolen" UTXO and other wallets derived from the same seed).

Things I noticed: one weird thing about the second transaction is that the LockTime was 1 instead of a block number close to the one when the transaction gets broadcasted, so I think it got created through the console ?
Would it be possible somehow to inject a second transaction while I was on my Ledger checking the details of the original one ? Or modify the script hash so that one validation sends two transactions ?
It is possible for my operating system to be compromised, but even then I still can't understand how I got to accept this ...
I'm at a complete loss ... Help ?