Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>> which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

If you're doing financial transactions using a big pile of NPM dependencies, you should IMHO be financially liable for this kind of thing when your users get scammed.



using NPM at all must be treated as a liability at this point. it's not the first and definitely not the last time NPM got pwned this hard.


Lots of very big financial originations and other F100 companies use a whole lot more node than you'd be comfortable with.

Luckily some of them actually import the packages to a local distribution point and check them first.


It isn't uncommon in crypto ecosystems for the core foundation to shovel slop libraries on application developers.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: