




HashDit | now with Pro Extension
1.1K posts

@HashDit
Web3 Security Firm - Defending against Hacks & Scams on #BSC & More! 🛡️ Users stay safe with our Chrome Extension & Metamask Snaps! ⚙️ Links below 👇












🚨 HashDit Alert! 🚨 We have monitored that @xpepetrump project has rugged and drained $38.5k worth of funds from the LP.. Root cause: PEPEToken contract (0xc81688968Bd1E8Da313B8F2936852eC4307Cd17f) overrides the standard ERC-20 balanceOf() to delegate entirely to an external contract LockupContractFactory whose unverified code allowed the attacker to set arbitrary nonce values for the PancakePair address via function selector 0x801425e6. Before the hack, the LockupContractFactory logic contract was maliciously upgraded and changed to include the rug function selector. Funds are still in the hacker's wallet. Detected by our Internal HashDit AI Triage Monitor. Stay safe!

Chainlink functions officially deprecated yesterday. Moving over to CRE for future usecases. Automation scheduled for 30 July deprecation too









⚠️ Web3 social managers on X: stay alert. Scam phishing emails targeting crypto are circulating again. If you enter your project's credentials into the fake login page, your X account WILL GET HACKED! Stay vigilant!! Refer to this for more information: malwarebytes.com/blog/news/2025…

We're aware of a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. The safety of our community is our top priority, and we want to be fully transparent about what we know. As a precaution, please do NOT interact with the bridge or any liquidity pools until we give the all clear. This is the single most important step you can take to protect your funds right now. We are actively working with leading security experts and our exchange partners to assess the scope of the incident and secure all affected systems. We're deeply sorry that this has happened. Protecting this community is our responsibility, and we don't take that lightly. We will share verified updates as soon as we have them and we won't speculate before facts are confirmed. Official updates will only come from this account or @terencekwok Beware of the scammers and impersonators who exploit moments like this. We will never DM you first or ask for your seed phrase or private keys.


🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys. Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.




We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.



🚨 Socket detected malicious activity in newly published versions of node-ipc, an npm package with 822K weekly downloads. Affected versions: node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 Socket’s AI scanner flagged the malware within ~3 minutes of publication. Early analysis shows obfuscated stealer/backdoor behavior, including host fingerprinting, local file enumeration, payload wrapping, and attempted exfiltration.