Coinspect Security

@VitalikButerin @donnoh_eth @zklim5389 and dApp frontend privacy? many delivering obfuscated trackers that get your wallet address and more.

@donnoh_eth @zklim5389 do oracles too lots of skeletons in the closet there I was fully serious when I said last week that making sure all our oracles are resilience and decentralization-maxxed is more important than stage 1 -> stage 2

man i wish there was an l2beat for privacy………

1/ From all the recent writeups, I pick a few to read carefully and enjoy while drinking 🧉 and eating chipa, the way I did before with every (yes) Bugtraq post. This week: Qualys ptrace LPE, CVE-2026-46333 — no AI Linux PDF RCE, CVE-2026-46529 — human+AI Both are worth reading:

🚨GitHub CONFIRMS breach of ~3,800 internal repositories. Root cause: Poisoned VS Code extension on employee device. Exfiltrated: GitHub Actions, Enterprise, Copilot, CodeQL, billing/auth platforms + more. ✅ No customer data impacted Log analysis and secret rotation in progress.

TeamPCP post 4 hours ago:

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.

@Giveth @thedaofund @Quantstamp @CredShields 🫡

The Ethereum Security QF round brought together: • 500 ETH matching pool from @thedaofund • $300K+ in donations • Additional matching pool support from @Quantstamp and @CredShields • Dozens of teams showing up for Ethereum security Really inspiring to see so many parts of the ecosystem come together around supporting Ethereum security. And special thanks to the teams who stepped up with additional support across the round: @Quantstamp, @CertiK, @sigp_io, @Certora, @chain_security, @PashovAuditGrp, @CredShields, @hackenclub, @OpenSea, @yearnfi, @osec_io, @coinspect, @dedaub, @RektHQ, @hexens, @perimeter_sec, @rv_inc, @WeAreTellor, @ECHInstitute Stay tuned for the final results!

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.

@bjnpck @Salvethius @ambire @walletbeat SalvΞthius you can see exactly what we test and compare here: coinspect.com/wallets/ We test, you decide.

@Salvethius @ambire seems to be: @walletbeat and @coinspect like it

I'm starting to use @ambire more. - Covers everything rabby does - Less tracking

Bitcoin Core PoC crash for CVE-2024-52911. ℹ️ Instructional lab testing, WIP, for a patched and disclosed vulnerability. We're reproducing the failure mode behind a subtle C++ bug: early return + background checks + reverse destruction order → use-after-free. Valuable case study given the codebase’s criticality and quality bar.

@Giveth That was fun. What’s next?

The Ethereum Security QF round is officially closed! Huge thank you to every donor, project, badgeholder, contributor, and community member who showed up to support Ethereum security over the past weeks. More soon 💜

@coinspect is one more team that beyond being an auditing firm is building public goods to make the ecosystem safer. Beyond wallet security ranking, they are working in DappFence and Taint. All public goods for Ethereum security. Tip of the hat to you guys!

Through @thedaofund on @Giveth, our team supported public goods projects we believe in and we added ~$5k with the Badge (4x) to help amplify support through quadratic funding. But money is the easy part. We'll keep building public goods security projects for Ethereum and supporting other teams with open resources, expertise, and free security services.

@hexens @DeFiHackLabs @ShutterNetwork @candidelabs @__Raiders @opsek_io @block_science @webhash_eth @ConsensysAudits @SEAL_911 @rv_inc @therealgregoAI @DefimonAlerts @SourcifyEth @anticapture Thank you!

@DeFiHackLabs @ShutterNetwork @candidelabs @coinspect @__Raiders @opsek_io @block_science @webhash_eth @ConsensysAudits @SEAL_911 @rv_inc @therealgregoAI EVMDecompiler @DefimonAlerts @SourcifyEth @anticapture Verity: Formal Verification for Smart Contracts @theredguild @kelsiemvn @buidlguidl @zodiaceco snekmate @RevokeCash @zksecurityXYZ @FireflyPocket @militereum @breadcoop

Three Hexens engineers voted as badge holders in the Ethereum Security QF round, casting their votes for projects they believe in. Hexens contributed $400 per badge-holding team member to back their participation.

There are around only 24 hours left to donate to the DAO security fund. I would like to ask you to please donate to Cyfrin Updraft & Tooling. If you know someone who learned security with us, please consider donating! We have been the #1 education platform for onboarding security researchers and developers to Web3 for 3 years straight, 100% for free. qf.giveth.io/project/cyfrin… Some stats: - Averages 8k students a week - Hundreds of thousands of hours of watchtime in aggregate - Millions of views on YouTube (500k on foundry 1 year ago, 600k 2 years ago, ~200k on intro to security, ~25k on assembly and formal verification, etc) - Thousands of stars on security education on GitHub Not to mention @SoloditOfficial, Aderyn, LocalSafe, WiseSigner, ERC-8213, @CodeHawks first flights & AI first flights (competitive audit live trainings) and more. If you don't like our education, we have a tooling page too: qf.giveth.io/project/cyfrin… Thank you for your consideration!

@theSouilos 🫂

Supporting projects like this ⬇️ by @coinspect Talented guys in the industry.

Most people choose wallets based on vibes, downloads, or who paid for the biggest sponsorship. Users shouldn’t have to rely on marketing claims when choosing where to keep their assets. We built Wallet Security Ranking We test. You decide.

@0x_sakata Not wrong but "Best" can mean a lot of things in web3. That’s why we built the Wallet Security Ranking to bring actual security signals instead of just vibes. coinspect.com/wallets/

these are the best wallets in web3 prove me wrong

Once upon a time, someone noticed "random" numbers repeating. That observation led to one of the most catastrophic crypto bugs ever (Debian’s 2008 OpenSSL RNG flaw)