>> which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

If you're doing financial transactions using a big pile of NPM dependencies, you should IMHO be financially liable for this kind of thing when your users get scammed.

▲

bpavuk 4 days ago | parent | next [-]

using NPM at all must be treated as a liability at this point. it's not the first and definitely not the last time NPM got pwned this hard.

	▲	pixl97 4 days ago \| parent [-]
		Lots of very big financial originations and other F100 companies use a whole lot more node than you'd be comfortable with. Luckily some of them actually import the packages to a local distribution point and check them first.

▲

palmfacehn 4 days ago | parent | prev [-]

It isn't uncommon in crypto ecosystems for the core foundation to shovel slop libraries on application developers.