looks legit and it's coming from support mpmjs.help
mpmjs.help
which looks official, right? Wrong. It's
actually a classic fishing attack. Even
though Josh is very smart and a much
better developer than you or I, he
clicked the link, entered his
credentials, and gave attackers full
control to his npm account and the
ability to publish new code to these
popular packages. And combined, these
packages get over 2.5 billion weekly
downloads, which is a crazy number.
Realizing they just struck gold, they
almost immediately start publishing new
versions of these packages. But here's
where things get interesting. It wasn't
just some generic malware, but rather a
cryptospecific attack targeting web 3
users. The bad code would inject itself
into a web browser and monitor
cryptocurrency transactions through
things like MetaMask. Then when a user
tries to send Bitcoin or Ethereum to one
of their friends, it silently swaps out
the destination address with one of the
attackers crypto wallet addresses. This
type of malware is commonly known as a
crypto clipper. But one thing that's
interesting is that it doesn't just
select a random address. Instead, it
uses the Levenstein distance algorithm
to calculate the visual similarity
between two strings. That means when the
swap occurs, it's much harder for the
end user to detect that anything has
changed. For example, the Levenstein
distance between dude and bro is four,
but the distance between bra and bro is
only two. And the attackers use this
algorithm to find a wallet address that
would be the least obvious to the human
eye when the swap occurs. Now, these
packages were compromised for about 2
hours before the community caught on.
But in those two hours, they were
installed millions of times across CI/CD
pipelines, development environments, and
production systems around the world. And
the big question is, how much money did
the attackers actually steal? You would
think it needs to at least be hundreds
of millions of dollars. But in reality,
they only got away with about $50 worth
of Ethereum. That was a close call, but
it's a wakeup call for JavaScript
developers that maybe we need some
additional safeguards on these popular
packages. Or maybe we should rename npm
install to npm prey because every time
you use it, you need to pray the code
you're installing on your machine wasn't
compromised by crypto bros a few hours
ago. Or maybe you shouldn't even use
JavaScript for backend and only use it
for UI design like God intended. And the
best place to get some fresh UI
inspiration is mobin.com, the sponsor of
today's video. I've been using Mobin for
5 years now because it provides highly
detailed breakdowns of every screen in
thousands of popular applications. As a
developer, you can steal, I mean, get
inspired by these patterns and implement
them in your own applications. You can
analyze entire user journeys, UI
elements, and screens from over 1,000
highly successful web and mobile apps.
And you can even bring them directly
into Figma to kickstart your design
process. Try Mobin for free right now
with the link below, and you'll get a
20% discount. This has been the code
report. Thanks for watching and I will
Haz clic en cualquier texto o marca de tiempo para ir directamente a ese momento del video
Compartir:
La mayoría de las transcripciones están listas en menos de 5 segundos
Copia con un clicMás de 125 idiomasBuscar en el contenidoIr a marcas de tiempo
Pega la URL de YouTube
Ingresa el enlace de cualquier video de YouTube para obtener la transcripción completa
Formulario de extracción de transcripción
La mayoría de las transcripciones están listas en menos de 5 segundos
Instala nuestra extensión para Chrome
Obtén transcripciones al instante sin salir de YouTube. Instala nuestra extensión de Chrome y accede con un clic a la transcripción de cualquier video directamente desde la página de reproducción.
Extensión Chrome