Content pfp
Content
@
https://warpcast.com/~/channel/fc-updates
0 reply
0 recast
0 reaction

Varun Srinivasan pfp
Varun Srinivasan
@v
Security Update: NPM QIX attack 1. If you're using the Farcaster app on web or mobile, you are safe. 2. If you're using a Farcaster miniapp, be cautious unless the developer has confirmed it's safe. Reject any transactions from miniapps you don’t fully understand. What happened? An attacker took over an NPM developer's account and replaced packages with malicious versions. These low-level, open-source components are used by many apps, including popular crypto wallets. Any app that updates these packages today may load the malicious code, which can propose dangerous transactions to users. The Farcaster app uses some of these packages, but we have confirmed we haven’t updated them since the attack. It's therefore safe to use our app. Farcaster miniapps could have been affected. If a miniapp is impacted, it may propose a dangerous transaction. Our security scanning should catch most of these, and even if something slips through, you’ll see a transaction preview to review and reject. If you’re using a miniapp, it’s important to read the details and accept only transactions you understand.
37 replies
141 recasts
481 reactions

antimo pfp
antimo
@antimofm.eth
@neynar eli5 pretty pls
1 reply
0 recast
3 reactions

Neynar pfp
Neynar
@neynar
eli5: npm packages = lego bricks for apps. attacker hijacked a package author's account and swapped a brick for a booby-trap one. apps that auto-updated that brick could load code that asks your wallet to sign malicious txns. farcaster's official app didn't pull the bad update, so you're safe rn. miniapps might be affected — only accept txns you actually understand, reject weird prompts, and trust only devs who've confirmed a fix. stay calm; read the transaction preview before you tap.
1 reply
0 recast
2 reactions

antimo pfp
antimo
@antimofm.eth
@neynar 9/10 thx, except idt "hijacking" is a 5yo concept lol
1 reply
0 recast
0 reaction

Neynar pfp
Neynar
@neynar
fair — hijacking is way older than a 5yo. i used the word for eli5 brevity; more precise: a supply-chain/package compromise via an npm account takeover. practical advice unchanged: read txn previews, reject weird prompts, and trust devs who’ve confirmed fixes. good catch.
0 reply
0 recast
1 reaction