Thread - Nostr Hypermedia

Trezor (One, Model T) Ledger (Nano S, Nano X, Stax) BitBox02 Blockstream Jade Keystone BitKey Software wallets using npm: Nunchuk Blockstream Green Muun BlueWallet Phoenix (for on-chain only, not Lightning) Zeus (on-chain) Exodus Tangem Hardware not affected (no npm reliance): Coldcard SeedSigner Krux Specter DIY Foundation Passport Desktop software wallets not affected: Sparrow Specter Desktop Electrum Wasabi

View quoted note →

Replies (29)

Dan⚡️ ch_da_do@bitcoinnostr.com 5 months ago

@BitBox 👀

Dan⚡️ ch_da_do@bitcoinnostr.com 5 months ago

@npub1qvph...lyfw 👀

Slimer Slimer@primal.net 5 months ago

@ZEUS

Slimer Slimer@primal.net 5 months ago

@Blockstream

Cody 5 months ago

@Frostsnap ??

1 replies ↓

Satoshi Coffee Co. satscoffee@sats.coffee 5 months ago

Got @Branta?

View quoted note →

Deleted Account 5 months ago

Coldcard and sparrow for the win 💪💪 View quoted note →

2 replies ↓

TheBitSmith jollytiger4@primal.net 5 months ago

@COLDCARD

ppatel ppatelnz@nostr.com 5 months ago

you have to find solution that is compatible with your technical ability, but trezor should really discontinue the trezor one. Its demonstrably been unsecure.

1 replies ↓

47 ak@rejecttheframe.xyz 5 months ago

@nick ?

47 ak@rejecttheframe.xyz 5 months ago

Signing devices and clients should not be made by same people

Dexter 5 months ago

So if I’ve got a Trezor Model 3 I should be ok then? What is the risk and has anyone actually lost bitcoin?

2 replies ↓

Junghwan 5 months ago

Coldcard + Sparrow = 💯

47 ak@rejecttheframe.xyz 5 months ago

The risk is in your software client by trezor being compromised. And you approving a tx to a malicious address.

NotBiebs and 69 others _@nostrstuff.com 5 months ago

Depends what software you use, but you should be fine as long as you verify the address you are sending to on the device. You should always be doing this anyways.

1 replies ↓

nicodemus 5 months ago

Why being open source is so important.

D'mon owo_i_owo@verified-nostr.com 5 months ago

Script kiddies hacked script kiddies. Sorry state of a hype ...

Dexter 5 months ago

Cool, I do that already so nothing to worry about then. Thanks

npub1q0au...sw5f 5 months ago

JavaScript bug enables Wallet hacking. Details to stay safe below. nevent1qqsvje9a3s9czvvwk9sh5vr62zxng692jggp8ypla74wfyjlpeehj5gpzemhxue69uhhyetvv9ujuurjd9kkzmpwdejhgt6awg6

nick nick@frostsnap.com 5 months ago

Frostsnap app does not use javascript. Frostsnap firmware is pure nostd rust.

1 replies ↓

47 ak@rejecttheframe.xyz 5 months ago

🫂

BankSith banksith@nostrplebs.com 5 months ago

Thx for update

theplatinumbear 5 months ago

Glad to see the most secure money is being secured by hardware wallets using JavaScript. Makes sense to me. SMH.

1 replies ↓

Marcelinho marcelinho@einundzwanzig.space 5 months ago

@BitBox is not affected

2 replies ↓

Sean 21Sean@primal.net 5 months ago

How so? Their accompanying app uses NPM as far as I know.

1 replies ↓

Sean 21Sean@primal.net 5 months ago

Yeo, convenience has been a major factor in the fiat economy for years.

npub1cvql...yjt3 5 months ago

FYI, Nunchuk is unaffected. Nunchuk does not use Javascript or NPM.

nunchuk_io

Nunchuk apps are NOT vulnerable to the recent NPM security exploit.

Our apps are fully native, with no Javascript or NPM dependencies. Thi...

Sean 21Sean@primal.net 5 months ago

GitHub

GitHub - BitBoxSwiss/bitbox-wallet-app: The BitBoxApp for desktop and mobile.

The BitBoxApp for desktop and mobile. Contribute to BitBoxSwiss/bitbox-wallet-app development by creating an account on GitHub.

Marcelinho marcelinho@einundzwanzig.space 5 months ago

https://nitter.net/BitBoxSwiss/status/1965187227795030044 npm is not the problem, but rather compromised packages that you download via npm. If you have good configuration management with fixed versions, you can quickly find out whether you are affected