Nostr Web Client

🚨Two versions (1.95.6 and 1.95.7) of the popular solana/web3.js npm library were recently disovered to be malicious, harvesting private keys to drain wallets.

nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 , nostr:npub1hea99yd4xt5tjx8jmjvpfz2g5v7nurdqw7ydwst0ww6vw520prnq6fg9v2 & nostr:npub1emdtsxly9m68m00x206t574jttp65vk0c2m89ms038q047yz7ylqcac9aw discuss the lessons to be learned from this incident in BR089.

https://m.primal.net/NITH.mov

Reply to this note

Please Login to reply.

Discussion

Jonathan 1y ago

One note, although I’m not the biggest fan of the current JavaScript ecosystem, it doesn’t seem right to say it’s wrong to do anything secure in the language. Backdoors can be put anywhere, even in “secure” systems languages without auto upgrades and vendored deps as the recent XZ Utils fiasco shows.