Comment by phkahler
3 months ago
>> which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.
If you're doing financial transactions using a big pile of NPM dependencies, you should IMHO be financially liable for this kind of thing when your users get scammed.
using NPM at all must be treated as a liability at this point. it's not the first and definitely not the last time NPM got pwned this hard.
Lots of very big financial originations and other F100 companies use a whole lot more node than you'd be comfortable with.
Luckily some of them actually import the packages to a local distribution point and check them first.
It isn't uncommon in crypto ecosystems for the core foundation to shovel slop libraries on application developers.