FatMan
FatMan|Dec 26, 2025 05:19
Surprised it took so long for this underrated attack vector to hit a mainstream wallet. It has always been fairly easy for a rogue dev to swap out to a malicious dependency for a "bug fix" or even for volunteer dependency managers to be bribed or have their GitHub accounts bought. In theory, if you compromise a big wallet with this, you could drain nine figures. This is actually a good thing though (sorry) - self-contained attack, only $7m stolen, Binance claims they will refund all victims, and now other wallet teams have witnessed a hard lesson in prod about this specific attack vector and will minimise external package use as much as they can, and can also be wary of odd dependency changes.(FatMan)
+4
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads