(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

nodesocket ◴[08 Sep 25 15:56 UTC] No.45169885[source]▶

This is terrifying. Reminder to store your crypto in a hardware based wallet like Ledger not browser based. Stay frosty when making transfers from exchanges.

replies(3): >>45169921 #>>45169962 #>>45171452 #

1. artooro ◴[08 Sep 25 16:00 UTC] No.45169921[source]▶

>>45169885 #

While true, this is also an eye opening event of how much worse it could be if it was more generic and not limited to crypto wallet addresses.

replies(1): >>45170011 #

2. nodesocket ◴[08 Sep 25 16:07 UTC] No.45170011[source]▶

>>45169921 (TP) #

Seems like exchanges should have a confirmation screen that shows the destination addresses from XHR requests before processing, though I suppose the malicious script could just change the DOM showing the address you entered instead of the modified address it injected.

↑

NPM debug and chalk packages compromised