Odaily Planet Daily News: Yu Xian, the founder of SlowMist, posted on the X platform that in response to the Ledger Connect Kit vulnerability incident, the project party currently needs to pay attention to the following: 1. The poisoned module of Ledger is on the npmjs platform. After the former employee's npmjs account was hijacked by phishing, the attacker can arbitrarily release the poisoned module version. 2. The released module will be automatically updated to the jsDelivr CDN. 3. Ledger's Connect Kit directly introduces the jsDelivr CDN js file, which is very rough. There is no file hash binding and no strict restrictions on the imported version. 4. The former employee actually left such an important permission. The internal security management mechanism must be strengthened. The worst principle is that if there is internal evil, can it be effectively avoided and discovered in time? 5. It should be noted that although the poisoned version of Ledger npmjs has been deleted, there are still poisoned js files on jsDelivr. These security suggestions are for other project parties to learn from. Don't be lazy. Every security incident is a good opportunity to review yourself.
See original
Yu Xian: Although the poisoned version of Ledger Npmjs has been deleted, there are still poisoned js files on jsDelivr
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
Replies 0
Explore the latest crypto news
⚡️ Be a part of the latests discussions in crypto
💬 Interact with your favorite creators
👍 Enjoy content that interests you
Email / Phone number
Relevant Creator
@Square-Creator-45ff2a536