xTupax.eth

As a MetaMask user, you do not need to be scared of the supply chain attack that took place earlier today. MetaMask has multiple layers of defense to protect our products and users: - Basic Security: We lock our versions, don't push directly to main, have manual and automated checks during the entire development lifecycle, and have robust release processes and monitored rollouts. - LavaMoat: Prevents malicious code from harming you, even if malicious code was to somehow sneak in. LavaMoat covers both the development lifecycle and runtime scenarios. - Blockaid: Flags malicious addresses nearly instantaneously, protecting you from compromised dapps. Security is paramount for MetaMask. We work tirelessly to protect you from attacks and threats, including supply chain attacks. 🧡

Phantom is not at risk. We have confirmed Phantom does not use any vulnerable versions of the affected packages. We take a number of steps to guard against these types of attacks, including: - Strict version pinning for all dependencies, preventing automatic updates to potentially compromised packages - Mandatory security reviews for all package upgrades before integration - Multi-layered dependency scanning and vulnerability monitoring - Isolated build environments with integrity verification We take the security of our users and their funds extremely seriously and will continue investing in our security practices to keep them safe against evolving threats like this one. https://t.co/ZPPUroKieR

🚨 There’s a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised. The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk. The malicious payload works by silently swapping crypto addresses on the fly to steal funds. If you use a hardware wallet, pay attention to every transaction before signing and you're safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now. It’s still unclear whether the attacker is also stealing seeds from software wallets directly at this stage. Excellent report here: https://t.co/5CtiZJHYsN