🗞️

npm Packages With 2 Billion Weekly Downloads Hacked in Major Attack – Hackread – Cybersecurity News, Data Breaches, AI, and More

I feel like every single app out there uses NPM, no? It's like the default package manager on Linux-based systems. View quoted note →

I want to ask about some wallet software but I don't want to out my software.

Don’t worry, that one is probably safe. He doesn’t play silly games. If it is he’s already on top of a patch.

If your Bitcoin software uses JS, it isn't safe period.

Grok trying to explain it to me like I am five: Okay, imagine you have a favorite toy box that lots of kids use to build cool things, like a big Lego set. This toy box is called “npm,” and it’s where people get special tools (called packages) to make their computer programs work better. Some of these tools, like “chalk” and “debug,” are super popular, like the best Lego pieces everyone loves to use. Now, a trusted grown-up who takes care of these tools got tricked by a bad person (like someone pretending to be their friend). This bad person sneaked some mean tricks into the tools. These tricks are like tiny invisible robots that can mess with your piggy bank if you use a special app to hold your digital coins (like in a game or app called MetaMask or Phantom). When you try to send your coins to a friend, the trick secretly changes the address, so your coins go to the bad person instead! Lots of people have already used these broken tools—billions of times! So, it’s a big problem for everyone who makes programs with these tools. Here’s what you can do to stay safe: • If you have a super-safe piggy bank (called a hardware wallet), always double-check where your coins are going before you send them. • If you use a regular app piggy bank (like a software wallet), don’t send coins right now until the grown-ups fix the problem. The good news is people are working hard to clean up the toy box and make it safe again!

Get out of my head.. but that's the indication I get. Unless you're fuckin with me 😂

Nope. Not messing with you. Usually the ones to worry about also support shitcoins

That absolutely tracks. And as much as the medium of exchange point needs to be stronger, this is a huge case for holding.

*or just not using sketchy software

Don't use your hardware wallets companions app. Sparrow doesn't use NPM, so this is fine, but fully check and double check the address you are sending to on your hardware wallets display in case this address has been swapped out. If you use Bitkey, don't this cannot utilise Sparrow and it's companion app does use NPM, so don't send any Bitcoin from Bitkey until further notice. View quoted note →

How does this affect address generation on a watch only wallet on mobile? @nunchuk_io View quoted note →

Does this have to do with hot wallets ?

And cold wallets if the software companion app uses NPM

Beautiful The world will learn what Zero Trust means..

Coldcard + Sparrow unaffected View quoted note →

Is electrum affected by this?

This affects some #Bitcoin wallets as well. List of affected/unaffected wallets below. #NPM #attack #hack #hacked View quoted note →

⚡️🚨 UPDATE - NPM attack: The attack fortunately failed, with almost no victims. It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity, hooking into Ethereum, Solana and other chains to hijack transactions, and replacing wallet addresses directly in network responses. The attackers’ mistakes caused crashes in CI/CD pipelines, which led to early detection and limited impact. Still, this is a clear reminder: if your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything. Supply chain compromises remain a powerful malware delivery vector, and we’re also seeing more targeted attacks emerge. Hardware wallets are built to withstand these threats. Features like Clear Signing let you confirm exactly what’s happening, and Transaction Checks flag suspicious activity before it’s too late. The immediate danger may have passed, but the threat hasn’t. Stay safe — Charles Guillemet. View quoted note →

Lightning users not affected.

Yes 🤝

https://store.blockstream.com/?code=KgD7dk4Ejmt6 Check out the official announcements from Blockstream and Jade: .

X (formerly Twitter)

Blockstream Jade (@BlockstreamJade) on X

Blockstream Jade is unaffected by the NPM supply chain attack targeting JavaScript packages. Always confirm the exact send and receive address on ...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

The Blockstream app does not use JavaScript or NPM. The Blockstream app and Blockstream Jade are unaffected by the ongoing NPM JavaScript supply c...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

@altinnerup Swift for iOS Kotlin for Android C++ and QML for desktop (Qt)

The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe. Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes. Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt. Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.

https://store.blockstream.com/?code=KgD7dk4Ejmt6 Check out the official announcements from Blockstream and Jade: .

X (formerly Twitter)

Blockstream Jade (@BlockstreamJade) on X

Blockstream Jade is unaffected by the NPM supply chain attack targeting JavaScript packages. Always confirm the exact send and receive address on ...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

The Blockstream app does not use JavaScript or NPM. The Blockstream app and Blockstream Jade are unaffected by the ongoing NPM JavaScript supply c...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

@altinnerup Swift for iOS Kotlin for Android C++ and QML for desktop (Qt)

The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe. Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes. Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt. Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.

https://store.blockstream.com/?code=KgD7dk4Ejmt6 Check out the official announcements from Blockstream and Jade: .

X (formerly Twitter)

Blockstream Jade (@BlockstreamJade) on X

Blockstream Jade is unaffected by the NPM supply chain attack targeting JavaScript packages. Always confirm the exact send and receive address on ...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

The Blockstream app does not use JavaScript or NPM. The Blockstream app and Blockstream Jade are unaffected by the ongoing NPM JavaScript supply c...

.

X (formerly Twitter)

Blockstream (@Blockstream) on X

@altinnerup Swift for iOS Kotlin for Android C++ and QML for desktop (Qt)

The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe. Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes. Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt. Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.

No, it's written in Python, no npm dependencies