PIN SOFTWARE VERSIONS

“It's sitting at 250 million plus right now. Is that right, Tay? So Tay and I were talking about this before we started and I was like, it's not really a postmortem yet. It's like an active mortem or like something. So we don't know that much, I guess, about exactly what has happened here. So just probably leading with like, there's a lot of speculation, a lot of uncertainty, because this is like a couple of hours old.”

“Oh, we, it's, it's, we've talked about it on the show. It's the Zoom calls. Well, now, now more often it's a Teams, it's a Microsoft Teams call, but it's exactly the same. So it's the exact same flow that we usually see in crypto. But they were targeting... developer, maintainer, yeah. That's the question is like, how the hell... it's very similar to crypto in the sense that you have individual people who are actually very smart, very talented, very capable, very computer knowledgeable.”

“So basically what they did, they compromised the developer, they push a malicious version of the code to the Axios package, which is a dependency in like a bazillion other packages, like all of them. And so then anyone who installed any of these packages or updated any of these packages or ran, like updated or were working on any projects that had these packages in them, all those people were compromised. It's automatic, it's silent, and it's in the background.”

“The Drift Protocol hack was still unfolding when Kain, Taylor, and Luca went live. Within hours of a suspected admin key compromise, over $285 million had been drained across Solana, with Circle sitting on the ability to freeze the stolen USDC — and choosing not to.”

“Even if you have hardware 2FA, protecting your authorization into your GitHub account or into your NPM account or whatever it is, when you authorize a token and save to your computer, that token is basically what you use to access these things for however long it is. If your computer is completely compromised in the way that DPRK compromises computers, that token, they take that token and they reuse it. Now it doesn't matter that you have MFA. It doesn't matter at all.”