You have to admit, handing the module maintenance to a foreign guy you have never heard of and who just emailed you, is totally ridiculous. 
Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days...
Any crypto wallet pulling random NPM modules for their projects.Does it mean so, any crypto wallet that makes use of Javascript is potentially vulnerable or already infected? I can already smell the waves of articles about this. Like if we needed more bad news these days...
Check my post in the other thread:
I don't use Copay, but this is worrying. Mostly because of this part:
I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how.
Quote
This is one of the major issues with JavaScript-based cryptocurrency wallets with heavy up-stream dependencies coming from NPM. @BitPay essentially trusted all the up-stream developers to never inject malicious code into their wallet.@dominictarr also let the attacker in, sadly
From: https://twitter.com/ummjackson/status/1067132600739721216Quote
You do know how many products and services do this? This is a much bigger issue than just BitPay.
From: https://twitter.com/brianchoffman/status/1067141337772888070I already knew how dangerous can be running tons of third-party NPM packages because of this super interesting article I read a few months ago: I’m harvesting credit card numbers and passwords from your site. Here’s how.
