Slow Mist Cosine: Although the poisoned version of Ledger npmjs has been deleted, there are still poisoned js files on jsDelivr.
Golden Finance reported that SlowMist founder, Yu Xian, posted on social media regarding the Ledger vulnerability. The project team currently needs to pay attention to the following:
1. The poisoned module of Ledger is on the npmjs platform. After a former employee's npmjs account was phished, the attacker can publish modules with poison.
2. The published module will automatically update to the jsDelivr CDN.
3. Ledger's Connect Kit directly imports js files from jsDelivr CDN, which is very rough. There is no file hash binding and no strict restriction on the imported version.
4. The former employee actually left such important permissions. The internal security management mechanism needs to be strengthened. According to the worst principle, if there is internal wrongdoing, can it be effectively avoided and detected in a timely manner?
5. It is necessary to note that although the poisoned version of Ledger npmjs has been deleted, there are still poisoned js files on jsDelivr.
These security recommendations are for other project parties to learn from. Don't be lazy. Every security incident is a good opportunity to review oneself.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Subscribe to TANSSI Savings and enjoy up to 15% APR
TACUSDT now launched for futures trading and trading bots
VELVETUSDT now launched for futures trading and trading bots
Bitget Spot Bot adds PUMP/USDT
Trending news
MoreCrypto prices
More
