Thread

Nostream has version 4.3.4 pinned as a dev dependency, meaning it should not automatically install the compromised version, but because no maintainer ever pins versions, other packages that depend on debug might end up bringing the compromised one. You might want to run npm run audit on your copy of the project and any Node project you are working on to see if you were affected.

I recently set up a nostream relay on a vps using your guide - its was easy to follow by the way and I've got it working. Im learning lots and I'm trying to get my head round how the relay system determines where things get stored. Anyway, do I need to panic here? Switch it off? What advice would you give someone who hasn't much experience running anything on an external server?

The security vulnerability would not affect you unless you had installed the malicious package today. Plus it only targeted browsers and the relay is a backend app. I wouldn’t put my hand on fire but you are probably on the safe here.

Hehehe. Good news as it was a couple of weeks back. One more small question. If some moron were to comment out the lines saying 'if running the script as root, stop the script', and then run it as root, would that be a really dangerous setup? Purely hypothetical, of course....

https://store.blockstream.com/?code=KgD7dk4Ejmt6 Check out the official announcements from Blockstream and Jade: . https://x.com/BlockstreamJade/status/1965147418242269232 . https://x.com/Blockstream/status/1965160059908022319 . https://x.com/Blockstream/status/1965162320625385897 The Blockstream app and the Jade hardware wallet are NOT affected; the app does not use JavaScript environments or NPM packages. Instead, it is built with Swift (iOS), Kotlin (Android), and C++ with QML (desktop/Qt), completely avoiding this vulnerability that affects packages with billions of downloads and that can swap crypto addresses to steal funds. This means that users' funds remain completely safe. Jade is the Bitcoin-focused hardware wallet emphasizing transparency and isolation, compatible with apps like Blockstream Green for air-gapped transactions via QR codes. Fully open-source code/hardware for community auditing, true air-gapped operation (no USB/Bluetooth for signing), and native Liquid network integration for sidechain assets like L-BTC/USDt. Liquid is a federated Bitcoin sidechain second-layer solution designed for fast and private settlements, using confidential transactions to hide amounts and assets(However, the Blockstream Green Wallet has the option to route using Tor), and enabling the issuance of tokens. Unlike Lightning, it is not focused on instant micropayments, but rather on safer and more efficient movement of larger values.