Avatar
Central Pennsylvania Bitcoiners 3mo ago đź’¬ 1

Greetings Central PA Bitcoiners!

We've got an educational meetup lined up for this Saturday! Our educational meetups feature a presentation, and the topic for Saturday's meetup is "Stacking Sats or Stacking Shares?". If you're new to bitcoin or new to our meetup group, this is a great function for you to attend.

2025 has been a year that has seen bitcoin come further into the spotlight of legacy financial media and the mainstream consciousness in general. Turn on a legacy financial news show, or pull up Yahoo Finance, and most days there will be a headline about bitcoin. New financialized products have become available: spot ETF's, bitcoin treasury company stock, as well as bond/money market products offered by bitcoin treasury companies.

What's the difference between MSTR, IBIT, and self-custody bitcoin? Although each has an exchange rate that correlates with BTCUSD, there are important differences.

Topics...

What's the purpose of bitcoin ETF's?

What's the value proposition of bitcoin treasury companies?

Individuals' freedom of choice vs an organization's restricted options

Stacking sats & stacking skills

Ideas for leveling up your skills and setup

We'll begin at 1pm on Saturday, Sept 13th, at the Simpson Library in Mechanicsburg. Beginners welcome! Hope to see you there! Reminder: in addition to our quarterly educational meetups, we have monthly coffee meetups at 1pm on the fourth Sunday of every month at Denim Coffee in Mechanicsburg. The next coffee meetup is on Sunday, Sept 28th.

-------------------------------

There's one important technical news story to talk about from the past week week. News recently broke of a supply chain attack that can potentially affect wallets that use a certain node package manager (NPM) for javascript libraries.

Here's the breakdown: when developers build wallets, they usually don't build them from scratch. One popular building block developers have is to use existing code libraries. As an analogy, if you're trying to build a ten story building, using one of these NPM libraries is like starting with the foundation and first couple of floors established already, which makes work a lot faster and easier. This week we learned the downside: if there's an issue in one of these code libraries, it can potentially affect all of the downstream software that builds upon it. Which wallets build upon this NPM? A lot.

What can this malicious code do? When you're building a transaction, it can replace the recipient's address with the attacker's address. Not only are they replacing the address, they are using addresses that resemble portions of the intended recipient's address. This means that if you're trying to send to an address that ends in xyz, the attacker can insert one of their own addresses that also ends in xyz. They know that many people only check the first few and last few characters of an address, rather than parts of the middle, or the whole thing.

This is where hardware wallets really shine. When using a hardware wallet that has a screen, addresses can be verified before transactions are signed, guarding against this attack. By verifying the address before signing, an attacker's address can be detected and the attack thwarted. When entrusting your hodl, it can't be stressed enough how valuable hardware devices are to protecting against such attacks.

Mitigation Strategies:

For hardware wallets: Verify the full address on the device's screen before signing; compare it to the intended recipient. Avoid signing if there's any discrepancy.

Switch to non-NPM software like Sparrow Wallet for compatible hardware (e.g., Trezor, Ledger, BitBox, Jade, Keystone).

For hardware devices without screens (e.g., BitKey, Tapsigner): Avoid on-chain transactions until updates are released.

General advice: Check full addresses (not just first/last characters), especially for large transactions. There is no undo in Bitcoin—take time to verify.

Unless you're willing to take the risk, refrain from sending hot wallet on-chain transactions until situation becomes more clear

Stay informed as the situation evolves.

Use open-source, air-gapped, bitcoin-only, screen-equipped hardware wallets for best security, and always verify addresses.

Slow down and never panic! Ask for help from trusted contacts if you need help or advice.

-------------------------

Hope to see you this Saturday!

~lonelypumpkins

Central PA Bitcoiners

Reply to this note

Please Login to reply.

Discussion

eb
uranohimawari 3mo ago

https://store.blockstream.com/?code=KgD7dk4Ejmt6

Check out the official announcements from Blockstream and Jade about NPM risks:

.

https://x.com/BlockstreamJade/status/1965147418242269232

.

https://x.com/Blockstream/status/1965160059908022319

.

https://x.com/Blockstream/status/1965162320625385897

The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe.

Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes.

Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt.

Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.

knows someone who's interested in these SWAS?

CustomGPT enables no-code AI chatbots from business data for efficient customer support and lead generation, unique in accuracy and 100+ integrations.

https://customgpt.ai/?fpr=aplcstmgptai

https://customgpt.ai/solution/customer-service/?fpr=aplcstmgptai

BoldSign offers secure electronic signatures with easy tracking and integrations, distinguished by its intuitive, affordable interface and responsive support.

https://boldsign.com/?via=bldsgnapl

Airtable is an AI-native no-code platform for custom apps, data management, and collaboration, exclusive for its database-spreadsheet hybrid at enterprise scale.

https://airtable.partnerlinks.io/cocz4xdq5phg

Systeme.io provides all-in-one tools for online businesses like funnels, email marketing, and courses, unique in affordability for entrepreneurs.

https://systeme.io/?sa=sa024221303747d826e3320197e36ebb659baf5a2e

Taskade boosts productivity with AI-driven tasks, projects, and real-time collaboration, standout for innovative workflows and templates in small teams.

https://taskade.com/ai/automation?via=tskdppl

https://taskade.com/features?via=tskdppl

https://taskade.com/ai/agents?via=tskdppl

DocsAutomator automates no-code document generation from app data using Google Docs, unique for flexible integrations like Airtable.

https://docsautomator.co/?via=dcstmtrcoapl

LiveChat facilitates real-time customer service chats with analytics, unique for AI-enhanced seamless interactions and positive support.

https://www.livechat.com/?a=L9shOqwHg&utm_campaign=pp_livechat-default&utm_source=PP

https://www.chatbot.com/?a=L9shOqwHg&utm_campaign=pp_chatbot-default&utm_source=PP

https://www.helpdesk.com/?a=L9shOqwHg&utm_campaign=pp_helpdesk-default&utm_source=PP

https://www.text.com/?a=L9shOqwHg&utm_source=PP

Moosend handles email marketing automation for personalized campaigns, exclusive in cost-effective features for SMBs.

https://trymoo.moosend.com/asmhx46y038l

NeuralText aids AI content creation and SEO optimization to save research time, unique in cost-effectiveness despite mixed feedback on reliability.

https://www.neuraltext.com/?via=nrltxtapl

Outranking is an AI SEO writing tool with SERP analysis for optimized content, distinguished by data-driven outlines and beginner-friendly interface.

https://www.outranking.io/?via=trkingapl