summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

summary_large_image

Lot of chatter about the QIX NPM compromise. TL;DR
-- Dev was compromised ~9am ET ( https://t.co/bgOwN57xyz )
-- Malicious packages removed at ~11.30 ET ( https://t.co/XApcXgcQoK )
If you installed in this time please check your codebase.

AndrewMohawk⁽ⁿᵘˡˡ⁾

Any components could have indirect dependencies that if a build was installed that included these versions would have been vulnerable.

You can use this script to scan or DIY:
https://t.co/jwEwQ9N9FT

Stay safe.

This would only impact you if:
- FRESH install between ~9am and ~11.30am ET 
- OR Package-lock.json created in that time
- Vuln packages in direct or transient dependencies

Sec/Madness.

@privy principal security 
SEAL
 technical council + 911.



Prev HoS @uniswap // D&R/IR @ Robinhood // IR @ BitMEX

Built Maltego for 10 years!

summary of today's NPM compromise, vulnerable package versions, and action items for devs here, from @andrewmohawk at Privy.

if your app uses NPM (includes mini apps), please check your dependencies.

https://x.com/AndrewMohawk/status/1965116722375209305
https://x.com/AndrewMohawk/status/1965117607750881561

Wrapped liquid staked Ether 2.0

Does using a different package manager than NPM help avoid things like this? I've heard bun is more secure

Tortoise Token

it’s a global package manager issue but there’s many options like pinning versions manually or using npm ci or etc — in theory the only people who installed it were ones setting up new projects so installing from scratch not from a lock file

i need to look into this a bit more for more context but if it's an issue at the package level it might persist regardless of which package manager you use(npm, pnpm, yarn, bun etc)