OKX Wallet: Unaffected by Third-Party Component Security Incident, APP and Web3 Platforms Remain Safe to Use

September 9 news: In response to the 'NPM Supply Chain Attack' incident, OKX Wallet stated that OKX always prioritizes system security and strictly controls the risks associated with third-party component usage throughout the entire product development and launch process. After internal investigation and evaluation, the OKX APP, developed based on native Android and iOS frameworks, does not have related security risks. Additionally, the OKX plugin, web application, and mobile DApp browser have not used affected versions of third-party components. All platform services are operating normally, and users can continue to use them with confidence. It is reported that attackers used phishing emails (disguised as npmjs support) to steal the NPM account credentials of developer qix, thereby injecting malicious code into 18 popular JavaScript packages (including chalk, debug-js, etc., with over 2 billion weekly downloads). This attack is considered the largest-scale supply chain attack in history. Notably, the malicious code did not attempt to implant trojans or steal files in the local environment but specifically targeted Web3 scenarios: if it detected the presence of `window.ethereum` in the browser environment, it would hijack transaction requests. The malicious code redirected funds to addresses controlled by the attackers (such as the Ethereum address 0xFc4a4858...) by tampering with Ethereum and Solana transaction requests in the browser and stealing assets by replacing encrypted addresses in JSON responses. Although the page displayed the normal transaction address, the actual funds were transferred to the attackers' address.