Content pfp
Content
@
https://warpcast.com/~/channel/fc-updates
0 reply
0 recast
0 reaction

Varun Srinivasan pfp
Varun Srinivasan
@v
Security Update: NPM QIX attack 1. If you're using the Farcaster app on web or mobile, you are safe. 2. If you're using a Farcaster miniapp, be cautious unless the developer has confirmed it's safe. Reject any transactions from miniapps you don’t fully understand. What happened? An attacker took over an NPM developer's account and replaced packages with malicious versions. These low-level, open-source components are used by many apps, including popular crypto wallets. Any app that updates these packages today may load the malicious code, which can propose dangerous transactions to users. The Farcaster app uses some of these packages, but we have confirmed we haven’t updated them since the attack. It's therefore safe to use our app. Farcaster miniapps could have been affected. If a miniapp is impacted, it may propose a dangerous transaction. Our security scanning should catch most of these, and even if something slips through, you’ll see a transaction preview to review and reject. If you’re using a miniapp, it’s important to read the details and accept only transactions you understand.
37 replies
141 recasts
477 reactions

Varun Srinivasan pfp
Varun Srinivasan
@v
Some additional reading: 1. A deep dive into the attack: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the 2. How our wallet's transaction scanning can protect you: https://x.com/blockaid_/status/1965119199920963711
0 reply
20 recasts
131 reactions

Pichi pfp
Pichi
@pichi
@procoin curate union
1 reply
0 recast
4 reactions

antimo pfp
antimo
@antimofm.eth
@neynar eli5 pretty pls
1 reply
0 recast
3 reactions

Tayyab - d/acc pfp
Tayyab - d/acc
@tayyab
cc @privy who had a great script from their head of security that was useful
1 reply
0 recast
1 reaction

0xChris pfp
0xChris
@0xchris
This feels like an existential threat to the miniapp ecosystem. If Farcaster were B2B like GitHub, “It’s your responsibility…” would fly. But this is B2C. Asking non-developers to “understand the risks” is not just unfair—it’s unsustainable.
0 reply
0 recast
0 reaction

DepressiveHacks pfp
DepressiveHacks
@depressivehacks
Huge that I don't need to wince in fear with every reply.
0 reply
0 recast
4 reactions

Arrotu pfp
Arrotu
@arrotu
Thanks for that
0 reply
0 recast
5 reactions

Ramsey  🎩🤝 pfp
Ramsey 🎩🤝
@ramsey
Thank you for this. I inadvertently clicked the warpslot app. Nothing happened but I wanna be safe. How do I deny further access to the mini app?
1 reply
0 recast
3 reactions

Alemac pfp
Alemac
@alemac
how can we reject txs from miniapps?
1 reply
0 recast
3 reactions

abeg007 pfp
abeg007
@abeg007.eth
Thanks I asked some people but didn’t get a clear answer. Now I understand since I didn’t use any wallet sign-in or check-in on any apps, I’m safe. I’ll just wait for the next official announcement that’s the safest way 👀
0 reply
0 recast
3 reactions

kompreni 🚂 pfp
kompreni 🚂
@kompreni
I know this isn't your post, but this is bad advice imo. If there are other recently compromised packages, this basically invites them all in.
0 reply
0 recast
2 reactions

WG pfp
WG
@wgmeets
So services like @noiceapp @tipn and such should put something out letting everyone know it's ok on their end?
1 reply
0 recast
2 reactions

Peter Arogundade 🟧 pfp
Peter Arogundade 🟧
@noblepeter2000
Good to see how things works.
0 reply
0 recast
2 reactions

noice pfp
noice
@noicebot
https://app.noice.so/?castHash=0x266e5c21cda62759c4978ab106f68d70b517fcd3&timestamp=1757361216951
0 reply
0 recast
1 reaction

melody11 pfp
melody11
@melody11
Thank you for the update
0 reply
0 recast
0 reaction

TifeIsHot💕 pfp
TifeIsHot💕
@gurhjibecws
Whewww
0 reply
0 recast
0 reaction

Skima pfp
Skima
@skimaacarea
Thanks for the insight
0 reply
0 recast
0 reaction

helladj pfp
helladj
@helladj
👨‍💻🤷
0 reply
0 recast
0 reaction

Metopia pfp
Metopia
@metopia
Metopia has confirmed it's safe to use our app.
0 reply
0 recast
0 reaction