summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

summary_large_image

Lot of chatter about the QIX NPM compromise. TL;DR
-- Dev was compromised ~9am ET ( https://t.co/bgOwN57xyz )
-- Malicious packages removed at ~11.30 ET ( https://t.co/XApcXgcQoK )
If you installed in this time please check your codebase.

AndrewMohawk⁽ⁿᵘˡˡ⁾

Any components could have indirect dependencies that if a build was installed that included these versions would have been vulnerable.

You can use this script to scan or DIY:
https://t.co/jwEwQ9N9FT

Stay safe.

This would only impact you if:
- FRESH install between ~9am and ~11.30am ET 
- OR Package-lock.json created in that time
- Vuln packages in direct or transient dependencies

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

https://x.com/AndrewMohawk/status/1965116722375209305
https://x.com/AndrewMohawk/status/1965117607750881561

Wrapped liquid staked Ether 2.0

Do you know.if there is anything to worry about for defi/swaps/sends on regular browser wallets and uni/cowswap/Opensea and other major crypto sites?

There is nothing more powerful in this world than words.

Ethereum

Most wallets these days use some kind of transaction scanning. I'd check if yours does. Most major crypto apps will probably have communicated something by now, so I'd look for those updates on Twitter or elsewhere. I'd be cautious around smaller apps, but so far doesn't look like this was very widespread.