Urgent: NPM debug and chalk packages compromised
See the following:
- https://news.ycombinator.com/item?id=45169657
- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
TLDR;
Affected packages (at least the ones I know of):
- [email protected]
- [email protected] (appears to have been yanked as of 8 Sep 18:09 CEST)
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
Malicious code
const _0x3ec3bb = {
'ethereum': /\b0x[a-fA-F0-9]{40}\b/g,
'bitcoinLegacy': /\b1[a-km-zA-HJ-NP-Z1-9]{25,34}\b/g,
'bitcoinSegwit': /\b(3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71})\b/g,
'tron': /((?<!\w)[T][1-9A-HJ-NP-Za-km-z]{33})/g,
'bch': /bitcoincash:[qp][a-zA-Z0-9]{41}/g,
'ltc': /(?<!\w)ltc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71}\b/g,
'ltc2': /(?<!\w)[mlML][a-km-zA-HJ-NP-Z1-9]{25,34}/g,
'solana': /((?<!\w)[4-9A-HJ-NP-Za-km-z][1-9A-HJ-NP-Za-km-z]{32,44})/g,
'solana2': /((?<!\w)[3][1-9A-HJ-NP-Za-km-z]{35,44})/g,
'solana3': /((?<!\w)[1][1-9A-HJ-NP-Za-km-z]{35,44})/g
};
This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs. It injects itself into functions like fetch, XMLHttpRequest, and common wallet interfaces, then silently rewrites values in requests and responses. That means any sensitive identifiers, such as payment destinations or approval targets, can be swapped out for attacker, controlled ones before the user even sees or signs them. To make the changes harder to notice, it uses string-matching logic that replaces targets with look-alike values.
Be careful - stay alert especially if you are using browser wallets: tronlink, metamask, solfare etc.
Steem to the Moon🚀!
- You can rent Steem Power via rentsp!
- You can swap the TRON:TRX/USDT/USDD to STEEM via tron2steem!
- You can swap the STEEM/SBD to SUI via steem2sui!
- You can swap the STEEM/SBD to SOL Solana via steem2sol!
- You can swap the STEEM/SBD to ETH Ethereum via steem2eth!
- You can swap the STEEM/SBD to Tether USDT (TRC-20) via steem2usdt!
- You can swap the STEEM/SBD to TRX (TRON) via steem2trx!
- You can swap the STEEM/SBD to BTS (BitShares) via steem2bts!
- Register a free STEEM account at SteemYY!
- Steem Block Explorer
- ChatGPT/Steem Integration: You can type !ask command to invoke ChatGPT
- Steem Witness Table and API
- Other Steem Tools
Support me, thank you!
Why you should vote me? My contributions
Please vote me as a witness or set me as a proxy via https://steemitwallet.com/~witnesses
Wow, @justyy, this is a critical PSA for the Steem community and beyond! The breakdown of the compromised npm packages and the explanation of the wallet-hijacking malware is incredibly clear and actionable. The inclusion of the malicious code snippet really drives home the severity. It's vital for developers and users alike to be aware of these vulnerabilities, especially with the rise of web3 and decentralized finance!
Thank you for bringing this to our attention – your vigilance could save people a lot of heartache. And, as always, great to see the continued development and promotion of Steem tools and services. Keep up the fantastic work! Everyone, please resteem and share this post to help spread awareness! What security measures do you use to protect your crypto wallets? Share your tips in the comments!