供应链安全

🚨 Case Warning | The Security Barrier Was Breached from the Most Trusted Source
In June, the core software library of hardware wallet vendor Ledger, @ledgerhq/connect-kit, was implanted with malicious code on npm. Hackers contaminated this library by infiltrating employee accounts, leading to the tampering of numerous DApp frontends that used this library, redirecting user transactions to the attackers' addresses.
🔍 Core Vulnerabilities
Single Point of Failure in the Supply Chain: A widely trusted official library became the entry point for attacks, causing the trust chain to collapse instantly.
Ecological Security Blind Spot: The hardware itself is solid, but its software dependency chain has become the most vulnerable link.
🛡️ Key Actions
To Project Parties: Implement version locking and integrity checks on critical dependencies, and establish a security monitoring mechanism for third-party libraries.
To Users: Before confirming any transactions on a hardware wallet, be sure to personally verify the receiving address on its screen, word for word. This is the final line of defense against frontend tampering.
#供应链安全 #硬件钱包 #Ledger #安全生态

🔐 $1.5 Billion Bybit Theft Incident Insights: Supply Chain Attacks Are a Fatal Weakness in Web3
💸 Incident Recap
This year, the cryptocurrency exchange Bybit experienced the largest theft in the industry's history, losing up to $1.5 billion in Ethereum (approximately 401,000 ETH). The root cause was not a direct breach of Bybit's own system, but rather a developer workstation at its infrastructure provider SafeWallet being hacked, leading to malicious code injected into the user interface, ultimately tricking Bybit's multi-signature process into approving the malicious contract.
🔍 Vulnerability Root Analysis
This incident reveals a severe supply chain security issue in the Web3 ecosystem:
Single Point of Failure, Total Collapse: Attackers (believed to be North Korea's Lazarus Group) successfully penetrated the ultimate target (the exchange) by exploiting a weak link in the supply chain (the developer's computer).
Blind Signing Risk: As the CEO of Safe stated, "Many people are actually constrained by the concept of blind signing... you really don't know what you are signing." Users often cannot understand the true intentions behind what they are signing when executing transactions.
Human Factor: The biggest challenge comes from the social engineering tactics used by attackers. They lurk in Telegram channels and company recruitment processes, leveraging human trust to launch attacks.
🛡️ Core Insights and Action Guide
For project teams: A layered defense system must be established, breaking down and reinforcing security at the transaction, device, and infrastructure levels. At the same time, promote user education and adopt solutions that clearly demonstrate transaction intentions, bidding farewell to "blind signing."
For the industry: Security is no longer the responsibility of a single company, but a fragmented responsibility that needs to be shared. Any vulnerability in a dependent component can jeopardize the entire ecosystem.
#供应链安全 #bybit #私钥管理 #Web3安全

NPM Supply Chain Attack Warning: Cryptocurrency Users Face Large-Scale Address Manipulation Risks

Analyzing supply chain attacks targeting the JavaScript ecosystem and their security implications for cryptocurrency users, providing practical protection advice.

The NPM account of well-known developer qix was phished, leading to the injection of malicious code into multiple popular packages, affecting packages with over 1 billion downloads (including chalk, strip-ansi, etc.). The attack method manipulates the ETH/SOL transaction receipt address through wallet hooking and replaces the address in the network response, causing users to transfer funds to the attacker unknowingly.

The Chief Technology Officer of Ledger confirmed that this attack targets the entire JavaScript ecosystem, with the malicious code specifically designed to silently replace cryptocurrency addresses. Hardware wallet users can verify transaction details on their device screen to avoid risks, but software wallet users are advised to suspend on-chain transactions until the threat is resolved.

Protection Advice:

1. Force verification of the receipt address before transactions (verify again after pasting)
2. Prioritize using hardware wallets that support clear signatures for high-value operations
3. Check recent transaction records and authorization status
4. Avoid updating or installing packages from unknown sources

Action Insight: Supply chain attacks highlight the potential risks of relying on open-source infrastructure, making it equally important to maintain software dependency hygiene and transaction verification habits.

#供应链安全 #加密货币安全 #NPM #硬件钱包 #Write2Earn

Disclaimer: This content is for reference only and does not constitute financial or security advice. Users should conduct their own research and take appropriate measures to protect their assets.

🚨 Is your protocol safe? The Balancer incident reveals a supply chain security crisis
📌 The overlooked deadly risk
The impact of this Balancer incident goes far beyond itself. Its open-source code has been forked by numerous projects (such as Berachain's BEX), leading to vulnerabilities spreading rapidly throughout the ecosystem, causing cumulative losses exceeding $120 million. This clearly indicates that in the highly composable DeFi world, supply chain security has become one of the deadliest systemic risks.
🔗 What is a supply chain attack?
In simple terms, when your project relies on or forks an external codebase with unknown vulnerabilities, even if your own code is flawless, you will be implicated by the faults in the upstream dependencies. Balancer V2, as a widely forked and audited "Lego block", means that its failure has shaken the trust foundation of the entire ecosystem.
🏗️ Build your defense system
✅ In-depth code review: When forking or referencing external contracts, an independent, in-depth security audit must be conducted, and one must never assume that it has been "audited" and trust it completely.
✅ Establish monitoring and circuit breaker mechanisms: Implement 24/7 monitoring of key parameters (such as liquidity pool prices) and preset automatic pause mechanisms to stop losses at the first sign of abnormalities.
✅ Develop an emergency response plan: Plan in advance the response process when encountering such "zero-day vulnerabilities", including upgrades, pauses, and communication strategies with the community.
💎 Core insight
This incident serves as a warning to all projects: the security perimeter extends far beyond the code you write yourself. A comprehensive review of your technological supply chain and the establishment of a multi-layered defense system are just as important as smart contract audits.
#供应链安全 #defi #智能合约审计 #balancer

Case Analysis | Discord Data Leak Incident Triggered by Third-Party Customer Service Provider
Event Retrospective
In September, Discord's third-party customer service provider Zendesk suffered a security attack, leading to the leak of government identity documents submitted by users (including driver's licenses, passports, and other age verification materials).
Risk Analysis
This incident revealed three key security issues:
Weak supply chain security: Even if the platform's own security measures are robust, third-party suppliers can still become attack vectors.
Conflict between compliance and security: Sensitive data collected to meet regulatory requirements can inadvertently become targets for attacks.
Data retention risks: Complaint processes can lead to data that should be deleted being retained for long periods.
Protection Recommendations
Implement strict security audits and the principle of least privilege for third-party suppliers.
Prioritize local processing solutions while meeting compliance requirements.
Users should be cautious when submitting sensitive identity documents and understand data retention policies.
Core Insight
Security is a topic that involves the entire ecosystem, and equally strict security standards must be applied to all partners.
#供应链安全 #数据隐私 #Discord安全

Third-party Library Risk Erupts: How Lottie Animation Files Become Bait for Hackers?

Recently, a supply chain security incident triggered by a third-party animation library has sounded the alarm for the Web3 ecosystem.
🔍 In-depth Analysis of the Incident
Attack Method: Hackers maliciously exploited the feature of Lottie animation expressions to inject malicious scripts into web pages, executing cross-site scripting (XSS) attacks to deceive users.
Another Dimension of Risk: Attackers successfully implanted malicious code in npm packages by stealing developer tokens, leading to the infection of numerous applications relying on this library.
These incidents reveal a harsh reality in modern web development: a seemingly harmless third-party component can become the collapse point of an entire security defense line.
🛡️ Professional Protection Recommendations
Strict Content Validation: Conduct strict security checks on all introduced third-party content (such as JSON animation files).
Strengthen Security Policies: Deploy robust Content Security Policies (CSP) to effectively block the execution of malicious scripts.
Dependency Management: Lock dependency library versions and use Subresource Integrity (SRI) validation to ensure resources have not been tampered with.
Continuous Monitoring: Establish a continuous security monitoring mechanism for dependency libraries to promptly detect and respond to new threats.
💡 Key Insights
In a complex supply chain environment, security is no longer just about the code itself, but encompasses the entire lifecycle of dependencies, deployment, and operations. Maintaining vigilance over any third-party components and implementing deep defense is key to ensuring project security.
#供应链安全 #Web3安全 #第三方风险

🚨 Is your staked asset still safe? The Kiln incident reveals the fatal risks of staking services
In September, the staking service provider Kiln was attacked by advanced persistent threats, with engineers' GitHub tokens leaked, leading to malicious code being implanted in the API. When clients withdrew their stakes, the control of their assets was secretly transferred.
🔍 Root cause of the incident: Blind signing transactions
Users signed serialized transaction data that could not be parsed, which contained hidden malicious instructions. On chains like Solana, even experts find it difficult to understand the raw transactions, making it hard to notice anomalies at the time of signing.
💡 Insights
Project parties: Must adopt an "intention-aware" architecture to provide human-readable transaction verification.
Users: Be wary of blind signing behavior and prioritize service providers that can clearly display transaction intentions.
The security paradigm must shift from "post-audit" to "eliminating risks through architectural design."
#供应链安全 #Kiln #盲签风险 #架构安全

🔐 Supply Chain Alert: High-Risk Vulnerability in Zero-Knowledge Proof Library gnark Affects Multiple Mainstream Projects
💸 Incident Recap
In August, Tencent's Xuanwu Lab AI system discovered a high-risk signature forgery vulnerability (CVE-2025-57801) in the widely used zero-knowledge proof library gnark. This library is utilized by several well-known projects, including Worldcoin, BNB Chain, and ConsenSys's own Layer2 network Linea.
🔍 Vulnerability Root Cause
The vulnerability exists in the native verification (Native Verification) API provided by gnark for developers. In a ZK-Rollup scenario, an attacker could exploit this vulnerability to forge multiple signatures that differ but have the same content based on a valid transaction, potentially leading to repeated deductions from user assets.
💡 Lessons Learned
This incident highlights the severe supply chain security issues in the Web3 space: a small flaw in a core underlying library can jeopardize the entire ecosystem built on top of it.
🛡️ Protective Measures
For project teams: Immediately check if you are using the vulnerable gnark Native Verification API and upgrade to a fixed version as soon as possible.
Best Practice: Follow the non-native verification (Non-native Verification) method used in the official gnark example to implement signature verification by combining underlying primitives yourself, which can mitigate this risk.
#供应链安全 #零知识证明 #gnark #Web3安全