A recent supply-chain attack injected malicious code into several popular npm packages. We reviewed our dependencies and confirmed that none of the vulnerable versions are in use.
Risks: Malicious packages can execute arbitrary code in apps. In this case, the injected code targeted crypto wallet operations in browser contexts. While our platform does not perform any crypto operations, such incidents highlight the broader risk of supply-chain attacks potentially exposing users or infrastructure.
Checks performed: Full dependency tree was audited against the compromised versions. No matches found.
How to reduce risk going forward:
-
Always commit and use the lockfile
-
In CI, Yarn runs with immutable installs by default (will fail if the lockfile is out of sync)
-
Developers can run
yarn install --immutablelocally to verify lockfile integrity -
Keep dependencies updated and monitor security advisories