summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

summary_large_image

Lot of chatter about the QIX NPM compromise. TL;DR
-- Dev was compromised ~9am ET ( https://t.co/bgOwN57xyz )
-- Malicious packages removed at ~11.30 ET ( https://t.co/XApcXgcQoK )
If you installed in this time please check your codebase.

AndrewMohawk⁽ⁿᵘˡˡ⁾

Any components could have indirect dependencies that if a build was installed that included these versions would have been vulnerable.

You can use this script to scan or DIY:
https://t.co/jwEwQ9N9FT

Stay safe.

This would only impact you if:
- FRESH install between ~9am and ~11.30am ET 
- OR Package-lock.json created in that time
- Vuln packages in direct or transient dependencies

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

https://x.com/AndrewMohawk/status/1965116722375209305
https://x.com/AndrewMohawk/status/1965117607750881561

Wrapped liquid staked Ether 2.0

Was just about to ask you if farcaster txs were affected in any way, running a scan on our end right now to double check our deps

Crazy how (a) targeted this attack was and (b) how billions of downloads are reliant on a single publisher's 2fa 🙃

co-founder @ponder @survey // benadamsky.com

If the bottom right said Kansas instead of Nebraska I’d immediately tag @cassie