As Decentral’s Chief Security Officer, I’d like to share a few thoughts with you about a recent NPM vulnerability that you may have read about in the news. Rest assured, Jaxx Classic and Jaxx Liberty were not affected. That said, it’s worth explaining and understanding what happened, and why.
What is NPM?
First, for those of you not familiar with NPM, it’s a popular Javascript package manager. Many software projects including many cryptocurrency projects use this software to conveniently import and update open-source libraries.
What Happened?
The incident at hand, saw several digital asset wallets compromised by a widely relied-on open-source software package. The good news is this incident did not affect your Jaxx Classic and Jaxx Liberty wallets.
A rogue Github user injected malicious code into popular node package manager (npm) modules — Event-Stream (version 3.3.6) and Flatmap-Stream (version 0.1.1). The changed malicious code reportedly targeted specific digital asset wallets — though, nor Jaxx Classic or Jaxx Liberty were targeted – to compromise private keys. A statement by Bitpay, which publishes the Copay wallet, explains this in greater detail.
Jaxx Classic & Jaxx Liberty Were Not Affected
Upon reading about the NPM vulnerability incident, we immediately performed comprehensive scans on all our code-base and confirmed that this thread did not negatively impact Jaxx Classic or Jaxx Liberty.
In Jaxx, your private keys are never communicated off-device in the first place: this reduces the attack surface. We also have a range of security procedures in place, such as regular code reviews and network monitoring to minimize exposure to rogue package updates.
Security by Default
We built Jaxx Classic and Jaxx Liberty with security in mind — to keep your digital assets safe every time you use our products. Security is in our DNA. It’s a priority that begins right from the design stage and continues through standard development practices we follow, including an ongoing rigid code review process.
In an upcoming post, I’ll share more details on the steps we take to ensure our products are secure and tips on how you can protect your digital assets in Jaxx Classic and Jaxx Liberty. But in the meantime, here’s a tip you can use right away: before sending and receiving digital assets, always, always make sure you double-check the address.
Best regards,
Dr. S. Wang
Chief Security Officer
Decentral Inc, the maker of Jaxx Classic and Jaxx Liberty