Content pfp
Content
@
https://warpcast.com/~/channel/fc-updates
0 reply
0 recast
0 reaction
Varun Srinivasan pfp
Varun Srinivasan
@v
Security Update: NPM QIX attack 1. If you're using the Farcaster app on web or mobile, you are safe. 2. If you're using a Farcaster miniapp, be cautious unless the developer has confirmed it's safe. Reject any transactions from miniapps you don’t fully understand. What happened? An attacker took over an NPM developer's account and replaced packages with malicious versions. These low-level, open-source components are used by many apps, including popular crypto wallets. Any app that updates these packages today may load the malicious code, which can propose dangerous transactions to users. The Farcaster app uses some of these packages, but we have confirmed we haven’t updated them since the attack. It's therefore safe to use our app. Farcaster miniapps could have been affected. If a miniapp is impacted, it may propose a dangerous transaction. Our security scanning should catch most of these, and even if something slips through, you’ll see a transaction preview to review and reject. If you’re using a miniapp, it’s important to read the details and accept only transactions you understand.
37 replies
141 recasts
477 reactions
Varun Srinivasan pfp
Varun Srinivasan
@v
Some additional reading: 1. A deep dive into the attack: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the 2. How our wallet's transaction scanning can protect you: https://x.com/blockaid_/status/1965119199920963711
0 reply
20 recasts
131 reactions
Pichi pfp
Pichi
@pichi
@procoin curate union
1 reply
0 recast
4 reactions
antimo pfp
antimo
@antimofm.eth
@neynar eli5 pretty pls
1 reply
0 recast
3 reactions
Tayyab - d/acc pfp
Tayyab - d/acc
@tayyab
cc @privy who had a great script from their head of security that was useful
1 reply
0 recast
1 reaction
0xChris pfp
0xChris
@0xchris
This feels like an existential threat to the miniapp ecosystem. If Farcaster were B2B like GitHub, “It’s your responsibility…” would fly. But this is B2C. Asking non-developers to “understand the risks” is not just unfair—it’s unsustainable.
0 reply
0 recast
0 reaction
DepressiveHacks pfp
DepressiveHacks
@depressivehacks
Huge that I don't need to wince in fear with every reply.
0 reply
0 recast
4 reactions
Arrotu pfp
Arrotu
@arrotu
Thanks for that
0 reply
0 recast
5 reactions
Ramsey 🎩🤝 pfp
Ramsey 🎩🤝
@ramsey
Thank you for this. I inadvertently clicked the warpslot app. Nothing happened but I wanna be safe. How do I deny further access to the mini app?
1 reply
0 recast
3 reactions
Alemac pfp
Alemac
@alemac
how can we reject txs from miniapps?
1 reply
0 recast
3 reactions
abeg007 pfp
abeg007
@abeg007.eth
Thanks I asked some people but didn’t get a clear answer. Now I understand since I didn’t use any wallet sign-in or check-in on any apps, I’m safe. I’ll just wait for the next official announcement that’s the safest way 👀
0 reply
0 recast
3 reactions
kompreni 🚂 pfp
kompreni 🚂
@kompreni
I know this isn't your post, but this is bad advice imo. If there are other recently compromised packages, this basically invites them all in.
0 reply
0 recast
2 reactions
WG pfp
WG
@wgmeets
So services like @noiceapp @tipn and such should put something out letting everyone know it's ok on their end?
1 reply
0 recast
2 reactions
Peter Arogundade 🟧 pfp
Peter Arogundade 🟧
@noblepeter2000
Good to see how things works.
0 reply
0 recast
2 reactions
noice pfp
noice
@noicebot
https://app.noice.so/?castHash=0x266e5c21cda62759c4978ab106f68d70b517fcd3&timestamp=1757361216951
0 reply
0 recast
1 reaction
melody11 pfp
melody11
@melody11
Thank you for the update
0 reply
0 recast
0 reaction
TifeIsHot💕 pfp
TifeIsHot💕
@gurhjibecws
Whewww
0 reply
0 recast
0 reaction
Skima pfp
Skima
@skimaacarea
Thanks for the insight
0 reply
0 recast
0 reaction
helladj pfp
helladj
@helladj
👨‍💻🤷
0 reply
0 recast
0 reaction
Metopia pfp
Metopia
@metopia
Metopia has confirmed it's safe to use our app.
0 reply
0 recast
0 reaction