Initial reports of a large-scale JavaScript Node Package Manager (NPM) supply-chain attack triggered a brief but intense period of panic within the crypto community. For a few hours, doomsayers seized on the warning, speculating about a widespread theft of user funds. At the time, Ledger CTO, Charles Guillemet, advised software wallet users to cease on-chain transactions and hardware wallet users to double-check every transaction.
However, as the hours passed, the magnitude of the attack became clearer. It was revealed that the malicious code was highly targeted, and the number of affected applications was limited. Prominent projects like Uniswap, Metamask, OKX Wallet and Aave all released statements confirming they were not affected.
The lack of widespread damage quickly turned the initial panic into a debate. Some relieved crypto users began to question the severity of the original warning, with some now viewing it as alarmist and potentially even an indirect attack on software wallets. This perspective suggests that the warning, while highlighting a genuine vulnerability, may have been overstated to promote the use of hardware wallets.
While the damage in terms of stolen crypto has led some to brand the exploit a “nothingburger,” some blockchain security experts insist the incident should serve as a wake-up call to all software developers. These experts concur that the incident validates the security model of hardware wallets, but they also warn that users of such wallets could still lose funds to a similar attack under certain circumstances.
Augusto Teixeira, a co-founder at Cartesi, illustrated this point, stating, “Even hardware wallet users could be affected by such attacks. For example, several people use their hardware wallets with the help of Metamask, without verifying the data on the device’s screen. This is becoming more common as transactions become more elaborate and people blind-sign them. Verifying is difficult.”
According to Teixeira, hardware wallets lack important features like address books or integration with JSON ABI’s, which would allow users to better understand what they are signing from the device’s screen.
The NPM incident has called into question the security practices used by developers, package managers, and organizations. Some in the crypto industry believe that following best practices—such as peer review and not allowing developers to push code to production without approval—can minimize the probability of such an attack. In addition, they argue developers should keep systems updated and avoid reusing passwords.
Shahaf Bar-Geffen, co-founder and CEO at COTI, believes that package managers like NPM should make the signing-in process more difficult for a would-be attacker. He argues that a “Critical Package Security Framework,” potentially overseen by bodies like the OpenJS Foundation, “could mandate strong authentication (2FA, scoped API tokens), reproducible builds, and annual third-party audits for packages exceeding high download thresholds.” Bar-Geffen believes this tiered verification model would help incentivize best practices while protecting critical infrastructure.
To avoid having to rely on a single person (who may have vested interests) to expose malicious activity, Carlo Fragni, Solution Architect at Cartesi, encourages projects to stay tuned to channels used by researchers. He also advocates for “using dependency analyzing tooling and performing due diligence on every dependency whenever it’s updated to a new version.”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
