summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

summary_large_image

Lot of chatter about the QIX NPM compromise. TL;DR
-- Dev was compromised ~9am ET ( https://t.co/bgOwN57xyz )
-- Malicious packages removed at ~11.30 ET ( https://t.co/XApcXgcQoK )
If you installed in this time please check your codebase.

AndrewMohawk⁽ⁿᵘˡˡ⁾

Any components could have indirect dependencies that if a build was installed that included these versions would have been vulnerable.

You can use this script to scan or DIY:
https://t.co/jwEwQ9N9FT

Stay safe.

This would only impact you if:
- FRESH install between ~9am and ~11.30am ET 
- OR Package-lock.json created in that time
- Vuln packages in direct or transient dependencies

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

https://x.com/AndrewMohawk/status/1965116722375209305
https://x.com/AndrewMohawk/status/1965117607750881561

Wrapped liquid staked Ether 2.0

Does using a different package manager than NPM help avoid things like this? I've heard bun is more secure

Tortoise Token

i need to look into this a bit more for more context but if it's an issue at the package level it might persist regardless of which package manager you use(npm, pnpm, yarn, bun etc)

Ethereum

actively investigating further but this post makes it seem like a relatively smaller set of projects could be affected(still not good at all either way)

https://x.com/AndrewMohawk/status/1965117607750881561

it’s a global package manager issue but there’s many options like pinning versions manually or using npm ci or etc — in theory the only people who installed it were ones setting up new projects so installing from scratch not from a lock file