mike's avatar
mike mike@mikehardcastle.com 3 months ago
Don't use your hardware wallets companions app. Sparrow doesn't use NPM, so this is fine, but fully check and double check the address you are sending to on your hardware wallets display in case this address has been swapped out. If you use Bitkey, don't this cannot utilise Sparrow and it's companion app does use NPM, so don't send any Bitcoin from Bitkey until further notice. View quoted note →
↑ Parent

Replies (6)

a_priori's avatar
a_priori 3 months ago
bitkey GitHub was just updated. I figured in response to the vulnerability. When I try to go to the release notes, I get a "malicious website" message from my browser. Bitkey hacked question mark??
1 replies ↓
Default avatar
uranohimawari 3 months ago
https://store.blockstream.com/?code=KgD7dk4Ejmt6 Check out the official announcements from Blockstream and Jade: .
X (formerly Twitter)
Blockstream Jade (@BlockstreamJade) on X
Blockstream Jade is unaffected by the NPM supply chain attack targeting JavaScript packages. Always confirm the exact send and receive address on ...
 .
X (formerly Twitter)
Blockstream (@Blockstream) on X
The Blockstream app does not use JavaScript or NPM. The Blockstream app and Blockstream Jade are unaffected by the ongoing NPM JavaScript supply c...
 .
X (formerly Twitter)
Blockstream (@Blockstream) on X
@altinnerup Swift for iOS Kotlin for Android C++ and QML for desktop (Qt)
 The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe. Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes. Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt. Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.