summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

summary_large_image

Lot of chatter about the QIX NPM compromise. TL;DR
-- Dev was compromised ~9am ET ( https://t.co/bgOwN57xyz )
-- Malicious packages removed at ~11.30 ET ( https://t.co/XApcXgcQoK )
If you installed in this time please check your codebase.

AndrewMohawk⁽ⁿᵘˡˡ⁾

Any components could have indirect dependencies that if a build was installed that included these versions would have been vulnerable.

You can use this script to scan or DIY:
https://t.co/jwEwQ9N9FT

Stay safe.

This would only impact you if:
- FRESH install between ~9am and ~11.30am ET 
- OR Package-lock.json created in that time
- Vuln packages in direct or transient dependencies

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

https://x.com/AndrewMohawk/status/1965116722375209305
https://x.com/AndrewMohawk/status/1965117607750881561

Wrapped liquid staked Ether 2.0

the window during which this was active was pretty short, and affected packages are now fixed on NPM, but worth double checking your deps. stay noided!