FatMan|Dec 26, 2025 05:19
Surprised it took so long for this underrated attack vector to hit a mainstream wallet. It has always been fairly easy for a rogue dev to swap out to a malicious dependency for a "bug fix" or even for volunteer dependency managers to be bribed or have their GitHub accounts bought. In theory, if you compromise a big wallet with this, you could drain nine figures.
This is actually a good thing though (sorry) - self-contained attack, only $7m stolen, Binance claims they will refund all victims, and now other wallet teams have witnessed a hard lesson in prod about this specific attack vector and will minimise external package use as much as they can, and can also be wary of odd dependency changes.(FatMan)
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink