Slow Mist Cosine: Although the poisoned version of Ledger npmjs has been deleted, there are still poisoned js files on jsDelivr.
Golden Finance reported that SlowMist founder, Yu Xian, posted on social media regarding the Ledger vulnerability. The project team currently needs to pay attention to the following:
1. The poisoned module of Ledger is on the npmjs platform. After a former employee's npmjs account was phished, the attacker can publish modules with poison.
2. The published module will automatically update to the jsDelivr CDN.
3. Ledger's Connect Kit directly imports js files from jsDelivr CDN, which is very rough. There is no file hash binding and no strict restriction on the imported version.
4. The former employee actually left such important permissions. The internal security management mechanism needs to be strengthened. According to the worst principle, if there is internal wrongdoing, can it be effectively avoided and detected in a timely manner?
5. It is necessary to note that although the poisoned version of Ledger npmjs has been deleted, there are still poisoned js files on jsDelivr.
These security recommendations are for other project parties to learn from. Don't be lazy. Every security incident is a good opportunity to review oneself.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Pantera Partners: Which DePIN projects have real revenue?DePin Case Studies
Some DePIN projects achieve sustainable profitability by solving existing problems, even without relying on the flywheel effect of token economics.
Cardano Partners With Barcelona to Enhance Fan Interaction
XRP Ledger v2.3.0 Upgrade to 2.3.0: Essential Changes and 80% Server Upgrade Milestone
Best New Meme Coins with 1000X Potential: BTFD Coin’s Presale Rally Sparks Buzz While Pudgy Penguins and Osaka Protocol Thrive
Trending news
MoreCrypto prices
More
