(www.aikido.dev)

1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

phkahler ◴[08 Sep 25 17:01 UTC] No.45170753[source]▶

>> which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

If you're doing financial transactions using a big pile of NPM dependencies, you should IMHO be financially liable for this kind of thing when your users get scammed.

replies(2): >>45170875 #>>45170890 #

1. bpavuk ◴[08 Sep 25 17:10 UTC] No.45170875[source]▶

>>45170753 #

using NPM at all must be treated as a liability at this point. it's not the first and definitely not the last time NPM got pwned this hard.

replies(1): >>45174224 #

2. pixl97 ◴[08 Sep 25 21:26 UTC] No.45174224[source]▶

>>45170875 (TP) #

Lots of very big financial originations and other F100 companies use a whole lot more node than you'd be comfortable with.

Luckily some of them actually import the packages to a local distribution point and check them first.

↑

NPM debug and chalk packages compromised