ETHSecurity Community
/eth-security1443
This is the farcaster instantiation of the great and lindy ETHSecurity community which exists on Telegram and elsewhere.
What blows me away about this is that someone got robbed for a third of a billion dollars, and no one seems to know who it was. Just some off the grid whale wallet vanishing into a cloud of XMR.
https://www.theblock.co/post/352105/apparent-bitcoin-theft-worth-330-million-spikes-monero-price-in-laundering-frenzy-zachxbt
https://www.theblock.co/post/352105/apparent-bitcoin-theft-worth-330-million-spikes-monero-price-in-laundering-frenzy-zachxbt
North Korean hackers created fake US companies tocrypto developers: report
Source: The Block
https://search.app/jMx6o
Source: The Block
https://search.app/jMx6o
👀 Hackers are mining crypto in the cloud—on your dime.
Microsoft uncovered Storm-1977 targeting education sector cloud accounts via password spraying.
They used AzureChecker.exe, hijacked guest accounts, spun up 200+ containers, and ran illicit crypto mining.
⚠️ Time to lock it down.
👉 Learn more: https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
Microsoft uncovered Storm-1977 targeting education sector cloud accounts via password spraying.
They used AzureChecker.exe, hijacked guest accounts, spun up 200+ containers, and ran illicit crypto mining.
⚠️ Time to lock it down.
👉 Learn more: https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
Bugs like rounding errors are easy to detect and hard to escalate into crits
Bugs like silent overflows are harder to detect but easy to escalate
Every bug is easier to find with different techniques
That’s why you should try all and use what works for you
Bugs like silent overflows are harder to detect but easy to escalate
Every bug is easier to find with different techniques
That’s why you should try all and use what works for you
Announcing the debut of a new service!
Now you can contact me and my friend @rata0x for legal services and advice. We've known my dear friend t.me/rata0x for 5 years, and we've helped a lot of individuals in the most desperate situations!
So, if you need to:
1. Resolve the issue of unauthorized blocking of funds on the exchange.
2. You have had a huge sum of money stolen from you and must immediately block it on exchanges and return it as soon as possible.
3. You or your project require legal assistance and advice.
Contact t.me/rata0x ! When I refer him, I use my name because I've worked with him for a long time and know him well.
Now you can contact me and my friend @rata0x for legal services and advice. We've known my dear friend t.me/rata0x for 5 years, and we've helped a lot of individuals in the most desperate situations!
So, if you need to:
1. Resolve the issue of unauthorized blocking of funds on the exchange.
2. You have had a huge sum of money stolen from you and must immediately block it on exchanges and return it as soon as possible.
3. You or your project require legal assistance and advice.
Contact t.me/rata0x ! When I refer him, I use my name because I've worked with him for a long time and know him well.
🚨 Crypto Devs, Watch Out!
Ripple's xrpl.js library was backdoored to steal private keys! Over 2.9M downloads, 135K devs at risk.
🗓️ Malicious versions: 4.2.1–4.2.4, 2.14.2
🛡️ Safe versions: 4.2.5, 2.14.3
👤 Hacker hijacked a Ripple dev's npm account on April 21, 2025.
🔗 Learn more: https://thehackernews.com/2025/04/ripples-xrpljs-npm-package-backdoored.html
Ripple's xrpl.js library was backdoored to steal private keys! Over 2.9M downloads, 135K devs at risk.
🗓️ Malicious versions: 4.2.1–4.2.4, 2.14.2
🛡️ Safe versions: 4.2.5, 2.14.3
👤 Hacker hijacked a Ripple dev's npm account on April 21, 2025.
🔗 Learn more: https://thehackernews.com/2025/04/ripples-xrpljs-npm-package-backdoored.html
🛑 New Malware Targets Docker — but it’s not about crypto mining anymore.
Hackers are hijacking Docker to run fake nodes on a Web3 network called Teneo. Instead of mining, they farm TENEO tokens by sending fake heartbeat signals.
🔹 325+ downloads from Docker Hub
Read more ➝ https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html
Hackers are hijacking Docker to run fake nodes on a Web3 network called Teneo. Instead of mining, they farm TENEO tokens by sending fake heartbeat signals.
🔹 325+ downloads from Docker Hub
Read more ➝ https://thehackernews.com/2025/04/docker-malware-exploits-teneo-web3-node.html
We are seeing a lot more attacks utilizing malicious VSCode and Browser extensions (although these have been around for a while).
For browser extensions you can use "managed chrome" instances to control what can/cant be installed to make sure no extensions are installed that are malicious. You can also choose to block particularly bad extensions.
For VSCode extensions you are basically SOL, right now my advice is this:
Wherever possible please use [vscode.dev](http://vscode.dev) to open untrusted projects as it means that there is little chance they can execute code on your behalf. VSCode projects can execute arbitrary code when opening if you click “I trust this application/codebase”
If you want to scan the extensions before installing you can use this to validate both chrome and vscode extensions:
https://www.extensiontotal.com/
For browser extensions you can use "managed chrome" instances to control what can/cant be installed to make sure no extensions are installed that are malicious. You can also choose to block particularly bad extensions.
For VSCode extensions you are basically SOL, right now my advice is this:
Wherever possible please use [vscode.dev](http://vscode.dev) to open untrusted projects as it means that there is little chance they can execute code on your behalf. VSCode projects can execute arbitrary code when opening if you click “I trust this application/codebase”
If you want to scan the extensions before installing you can use this to validate both chrome and vscode extensions:
https://www.extensiontotal.com/
🚨 Malware Alert for Developers!
3 npm packages are mimicking a popular Telegram bot library—but secretly install SSH backdoors & exfiltrate your data.
They replicate the look of node-telegram-bot-api (100K+ weekly users), use starjacking to fake credibility, and target Linux systems. Removal ≠ protection—SSH keys stay behind.
Learn more: https://thehackernews.com/2025/04/rogue-npm-packages-mimic-telegram-bot.html
3 npm packages are mimicking a popular Telegram bot library—but secretly install SSH backdoors & exfiltrate your data.
They replicate the look of node-telegram-bot-api (100K+ weekly users), use starjacking to fake credibility, and target Linux systems. Removal ≠ protection—SSH keys stay behind.
Learn more: https://thehackernews.com/2025/04/rogue-npm-packages-mimic-telegram-bot.html
If you missed it I definitely recommend you take a look at @nick.eth 's tweet thread about a fairly clever phishing attack: https://x.com/nicksdjohnson/status/1912439023982834120
TL;DR the attackers change the app name to the message, Google sends it to you and then they host the actual phishing site on `sites.google.com`
This attack underscores the value of using Passkeys and hardware security keys (like YubiKeys). Unlike traditional username/password logins or codes sent via SMS or used in Authenticator apps, passkeys and hardware tokens use cryptographic proofs that are tied directly to the exact domain of the legitimate site. They will refuse authentication on any other domain—even if it looks visually identical. This makes passkeys and YubiKeys effectively 100% immune to phishing attacks like these. Additionally, password managers can help by automatically identifying domain mismatches, preventing users from submitting credentials to fraudulent websites.
TL;DR the attackers change the app name to the message, Google sends it to you and then they host the actual phishing site on `sites.google.com`
This attack underscores the value of using Passkeys and hardware security keys (like YubiKeys). Unlike traditional username/password logins or codes sent via SMS or used in Authenticator apps, passkeys and hardware tokens use cryptographic proofs that are tied directly to the exact domain of the legitimate site. They will refuse authentication on any other domain—even if it looks visually identical. This makes passkeys and YubiKeys effectively 100% immune to phishing attacks like these. Additionally, password managers can help by automatically identifying domain mismatches, preventing users from submitting credentials to fraudulent websites.
Three Good Multisig Operations Tips!
1) You can create multisig with Safe, and sign transactions off-chain and send them using any other wallet that doesn't control multisig at all. So, you could use Safe contract alternatively to any ERC2771 smart contracts (like Openzeppelin Defender is).
2) How to choose a better number of signers? Pick a M-of-N multisig where M is less than N, such as 2-of-3. Give yourself some leeway, a 2-of-2 requires all your backups to work perfectly.
3) Implement Web3 Front-end monitoring, use a tool by @koda (link below)!
P.S. That’s an awesome app: pilot.gnosisguild.org
1) You can create multisig with Safe, and sign transactions off-chain and send them using any other wallet that doesn't control multisig at all. So, you could use Safe contract alternatively to any ERC2771 smart contracts (like Openzeppelin Defender is).
2) How to choose a better number of signers? Pick a M-of-N multisig where M is less than N, such as 2-of-3. Give yourself some leeway, a 2-of-2 requires all your backups to work perfectly.
3) Implement Web3 Front-end monitoring, use a tool by @koda (link below)!
P.S. That’s an awesome app: pilot.gnosisguild.org
Cybersecurity Risks are possible with AI technology
AI technology is still new and some systems are vulnerable to cyber attacks, which can compromise the security of traders' funds.
Hackers can exploit vulnerabilities in AI algorithms to manipulate trades or steal funds.
It is essential to implement robust cybersecurity measures to protect against these risks.
AI technology is still new and some systems are vulnerable to cyber attacks, which can compromise the security of traders' funds.
Hackers can exploit vulnerabilities in AI algorithms to manipulate trades or steal funds.
It is essential to implement robust cybersecurity measures to protect against these risks.
Sherlock and Usual announce the largest bug bounty ever
https://x.com/sherlockdefi/status/1907418923336630324
https://x.com/sherlockdefi/status/1907418923336630324
A victim lost $510,294 due to copying the wrong address from transaction history!
Victim:
0x0d534863a71d5e68d5c919a4c2ef47c3a7a792c0
Fake address:
0x4049Ebf479Fa49924e120490d119f0827cAa9aeC
Legitimate address:
0x40491fe2bA81621475c894Ebe8bcad56C7da9aec
How transaction history poisoning works:
1. Scammer sends fake/dust transfer with similar address;
2. Their fake address appears in your history;
3. You copy address from history thinking it's legitimate;
4. Funds get sent to scammer instead.
How to stay protected:
1. Always double-check the addresses you're sending funds to;
2. Never copy addresses from transaction histories;
3. Use a wallet that supports whitelisting or bookmarks.
My article on topic: https://officercia.mirror.xyz/n-sXszeDoNU3wtUUxRQEYvxQlZ6loaFElILzm2gnMzw
Victim:
0x0d534863a71d5e68d5c919a4c2ef47c3a7a792c0
Fake address:
0x4049Ebf479Fa49924e120490d119f0827cAa9aeC
Legitimate address:
0x40491fe2bA81621475c894Ebe8bcad56C7da9aec
How transaction history poisoning works:
1. Scammer sends fake/dust transfer with similar address;
2. Their fake address appears in your history;
3. You copy address from history thinking it's legitimate;
4. Funds get sent to scammer instead.
How to stay protected:
1. Always double-check the addresses you're sending funds to;
2. Never copy addresses from transaction histories;
3. Use a wallet that supports whitelisting or bookmarks.
My article on topic: https://officercia.mirror.xyz/n-sXszeDoNU3wtUUxRQEYvxQlZ6loaFElILzm2gnMzw
Ha, this is my first time seeing this phish pretext. Fake email from @coinbase that actually seems reasonably legit, telling you that they're moving everyone to self custody, and to download the official @coinbasewallet , but using a seed phrase generated by the attackers 😄
The ultimate, most advanced, security, DeFi, assembly, web3 auditor course ever created!
Thank you for mentioning my blog!
https://github.com/Cyfrin/security-and-auditing-full-course-s23
Thank you for mentioning my blog!
https://github.com/Cyfrin/security-and-auditing-full-course-s23
🚨 Crypto devs, beware!
Hackers hijacked 12+ popular npm packages—some live for 9+ years—to steal secrets like API keys & SSH tokens.
Root cause? Likely old maintainer accounts compromised via leaked credentials.
📎 Details: https://thehackernews.com/2025/03/nine-year-old-npm-packages-hijacked-to.html
🔒 Rotate keys. Audit deps. Enforce 2FA.
Hackers hijacked 12+ popular npm packages—some live for 9+ years—to steal secrets like API keys & SSH tokens.
Root cause? Likely old maintainer accounts compromised via leaked credentials.
📎 Details: https://thehackernews.com/2025/03/nine-year-old-npm-packages-hijacked-to.html
🔒 Rotate keys. Audit deps. Enforce 2FA.
important PSA regarding OpSec!
Pls read this before we get another 1.5b hack
https://x.com/tayvano_/status/1904942559673397335
Pls read this before we get another 1.5b hack
https://x.com/tayvano_/status/1904942559673397335
Let's say you are making a local web3 frontend. Is it safe to use localStorage on .localhost websites to store keys? Why/why not?
I have a bunch of this new NFC cards BurnerOS by ArcX… it’s neat, but I wonder:
How trivial is to exfiltrate the private key? There has to be a threshold of assets secured at which it makes upgrades to a stronger solution.
How trivial is to exfiltrate the private key? There has to be a threshold of assets secured at which it makes upgrades to a stronger solution.
Did you know you can run the same tests you wrote for foundry, with Echidna (Concrete Fuzzer) and Halmos (Formal Verification), with zero code changes?
Safer code and zero extra work
Here’s the demo you can try today!
https://x.com/getreconxyz/status/1903129678447251714?s=46
Safer code and zero extra work
Here’s the demo you can try today!
https://x.com/getreconxyz/status/1903129678447251714?s=46
