timedropper | LIFT | HUDL

Phantom is not at risk. We have confirmed Phantom does not use any vulnerable versions of the affected packages. We take a number of steps to guard against these types of attacks, including: - Strict version pinning for all dependencies, preventing automatic updates to potentially compromised packages - Mandatory security reviews for all package upgrades before integration - Multi-layered dependency scanning and vulnerability monitoring - Isolated build environments with integrity verification We take the security of our users and their funds extremely seriously and will continue investing in our security practices to keep them safe against evolving threats like this one. https://t.co/ZPPUroKieR

🚨 Massive NPM supply chain attack in progress. One compromised maintainer account → billions at risk. Here’s what’s happening & how to stay safe 👇 1/ A top maintainer’s NPM account (qix) was hacked. Malicious versions of core packages like strip-ansi, color-convert, is-core-module, error-ex published. These aren’t niche libs — they sit deep inside almost every JS project. Weekly downloads = 100M+. 2/ The malware is a crypto-clipper. It does 2 things: Patches fetch/XHR → scans every network request for wallet addresses & swaps them. Hijacks wallet txns (eth_sendTransaction) → silently replaces recipient with attacker’s. 3/ The code is obfuscated + sneaky. It even uses Levenshtein distance to swap addresses with lookalikes so victims don’t notice. If you sign without checking, your funds are gone. 4/ How this was caught: A random build failed with ReferenceError: fetch is not defined. Turns out the error-ex package had a brand new malicious version (1.3.3). One tiny utility… 47M weekly downloads. 5/ Protect yourself (users): Verify addresses on a hardware wallet screen before signing. Pause non-urgent on-chain txns if using software wallets. Never trust copy-paste blindly. 6/ Protect yourself (devs): Use npm ci in pipelines (locks deps to package-lock.json). Pin vulnerable deps with overrides. Audit with npm audit / Snyk / Dependabot. Treat lockfile PRs like prod code. 7/ Lesson: open source runs on trust. One account breach can ripple through the entire ecosystem. This may be one of the biggest supply chain attacks JS has ever seen. Stay safe. 🛡️

Every strong community has people who hold it together. For Timpi, that’s our moderators. They’re the ones jumping in during node sales, untangling problems, supporting, and making sure every question gets a real answer. They’ve carried so much of the day-to-day so the rest of us can focus on building. If they’ve helped you out, or just made this space feel better, drop a thank you below. They deserve it. ❤️

I also never used Linux before Timpi and I have to say, nowadays with ChatGPT it's pretty easy to setup the whole system optimized for 24/7 node-running. I could even setup monitoring tools that notify me on my e-mail whenever something is off... and all through Command Line! 💪🏼😁✨️

Crypto should be secure and simple — not a browser extension away from disaster. @Tangemis rethinking self-custody with smartcards that feel like credit cards, no seed phrase, no battery, no learning curve. Just tap & go. 🟢 🔐 Military-grade security 📲 App-based management 🛡️ Self-custody without complexity Loved by travelers, traders & token holders worldwide — Tangem bridges the gap between security and usability. Take part in Enter the depinhouse, the biggest DePIN campaign of the year: 🔹 Complete Galxe quests 🔹 $50,000+ in rewards 📷🎁 🔹 150+ DePIN devices to win https://t.co/mCK1zZEPi1