ETHSecurity Community
This is the farcaster instantiation of the great and lindy ETHSecurity community which exists on Telegram and elsewhere.
Officer’s Notes pfp
0 reply
1 recast
1 reaction
Officer’s Notes pfp
0 reply
2 recasts
10 reactions
Praetor pfp
Here is everything you need to know on today's NPM hack in the context of crypto: > NPM is used by node.js and pretty much every website > NPM maintainer Josh Junon (Qix-) fell for a phishing email mimicking npmjs website > Attackers compromised his account. injecting malware into 18 popular JavaScript packages that had 2.6 billion weekly downloads > Malicious versions (e.g., [email protected], [email protected]) were published and later yanked by npm within hours. > Malware targets crypto users by altering transactions before signing, but users must approve the bad tx: it's not automatic drainage > Attack affects the entire JavaScript ecosystem, including dApps. But only impacts fresh installs/pulls during the ~2.5-hour breach (9-11:30 AM ET). Pinned dependencies reduce spread. > Attack detected by firms like Aikido, Socket, and Blockaid; npm responded quickly > Your wallet is probably safe and the effective impact area is much smaller than "all websites", but you cannot really know if a project pinned dependencies, or if they have some dynamically downloaded dependency (very unlikely) > it's just safer to avoid using crypto websites till this blows over and they clean up the bad packages. or us HW and check all the transaction data Btw I am not a security expert, this is just from things I read online. @officer_cia let me know if I missed anything. --- HOW THE MALWARE WORKS --- The obfuscated JavaScript payload: > Hooks into browser APIs (e.g., XMLHttpRequest, fetch) to intercept network traffic. > Scans responses for crypto wallet addresses using regex patterns for chains like Bitcoin (BTC), Ethereum (ETH), Solana (SOL), Tron (TRX), Litecoin (LTC), and Bitcoin Cash (BCH). > Replaces detected addresses with ~30 attacker-controlled ones (e.g., 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976) that mimic originals (same prefix/suffix). > Activates in front-end environments, potentially during package install (postinstall scripts) or runtime in apps/CLIs > When signing the transaction, you still see "bad" transaction. So if you are careful you can avoid it --- THIS IS ONLY ONE OF THE POSSIBLE WAYS ---
0 reply
0 recast
4 reactions
Officer’s Notes pfp
0 reply
1 recast
2 reactions
Officer’s Notes pfp
3 replies
11 recasts
42 reactions
blooda 🗿 pfp
3 replies
0 recast
2 reactions
Francesco Piccoli pfp
0 reply
0 recast
1 reaction
Loring Harkness pfp
0 reply
0 recast
4 reactions
Officer’s Notes pfp
3 replies
6 recasts
20 reactions
Officer’s Notes pfp
1 reply
2 recasts
2 reactions
Officer’s Notes pfp
0 reply
2 recasts
2 reactions
Officer’s Notes pfp
0 reply
1 recast
0 reaction
Officer’s Notes pfp
0 reply
1 recast
2 reactions
Officer’s Notes pfp
0 reply
0 recast
2 reactions
@ pfp
0 reply
0 recast
1 reaction