Cryptonaut Bob 👑🦁

🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages. The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise. This is textbook supply chain installer malware. axios has 100M+ weekly downloads. Every npm install pulling the latest version is potentially compromised right now. Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that: • Deobfuscates embedded payloads and operational strings at runtime • Dynamically loads fs, os, and execSync to evade static analysis • Executes decoded shell commands • Stages and copies payload files into OS temp and Windows ProgramData directories • Deletes and renames artifacts post-execution to destroy forensic evidence If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.

🚨 PSA: a scammer has taken control of the samouraiwallet.com domain. Do not be fooled into downloading malicious software. How ironic that the FBI seizes control over the domain only for it to fall into the hands of actual criminals.

The custom designed @FugzOfficial X @KeystoneWallet has finally arrived, I’ve been waiting to get my hands on it 🙌 I even made a completely amateur unboxing and uploaded it to YouTube you can find it at the link below 👇 youtu.be/IZZiFVKN2j8?si…

All blockchain hardware wallets are worthless unless either: 1. You spend 20 minutes per transaction verifying your calldata 2. All hardware wallets adopt a transaction legibility standard "oh but my hardware wallet is EAL6+ rated with a secure element and a MCU made from minerals mined from pluto's ultra secure crust that-" - It doesn't matter. If you do not check calldata, you're essentially saying "I trust 100% that this website has not been hacked, because I trust whatever data they send to my wallet". It doesn't matter if your wallet is the most badass piece of security tech that's ever been, because you're letting hackers send whatever they want to your wallet, and you'll blindly sign! We've seen websites hacked all the time. @Compound_xyz was hacked just last week!! Reference: x.com/Compound_xyz/s… And we've seen MASSIVE losses from these hacks across both retail and enterprise use. - Bybit ($1.4B) - Radiant Capital ($50M) - WazirX ($200M) Some wallets have done a great job of getting the ball rolling on their own like @gridplus and @KeystoneWallet who both offer calldata decoding at the device level. @Ledger and @Keycard_ offer EIP-712 digests for signatures which are easier to verify than EIP-712 structs. @MetaMask snaps allow me to build my own custom AI bots and custom decoders to read calldata easier. But it's not enough. Calldata is still very annoying to read, and decoding it can be more confusing. Not enough wallets support EIP-712 digests. The good news... Is that transaction legibility is finally coming... Once we have a standard in place for human-readable transactions, it will be unacceptable to use a hardware wallet that does not have such a feature. And we can FINALLY use hardware wallets the correct way! I'M QUITE EXCITED.

🚨 @DonjonLedger has struck again discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security. Even when powered off, user data - including pins & seeds - can be extracted in under a minute.