(www.aikido.dev)

1369 points universesquid | 1 comments | 08 Sep 25 15:37 UTC | HN request time: 0.215s | source

https://github.com/advisories/GHSA-8mgj-vmr8-frr6

Show context

phkahler ◴[08 Sep 25 17:01 UTC] No.45170753[source]▶

>> which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

If you're doing financial transactions using a big pile of NPM dependencies, you should IMHO be financially liable for this kind of thing when your users get scammed.

replies(2): >>45170875 #>>45170890 #

1. palmfacehn ◴[08 Sep 25 17:11 UTC] No.45170890[source]▶

>>45170753 #

It isn't uncommon in crypto ecosystems for the core foundation to shovel slop libraries on application developers.

↑

NPM debug and chalk packages compromised