Monero logs

00:36:00 DataHoarder: https://blog.3mdeb.com/2025/2025-12-18-eom-key-issue/

01:30:43 321bob321: Chmod 777

01:49:29 plowsof: trust wallet does not contain monero, phew

01:52:03 plowsof: not sure if true but the algorithm wants us to know about it https://xcancel.com/0xakinator/status/2004297673067704651

01:56:00 plowsof: https://xcancel.com/TrustWallet/status/2004316503701958786

02:03:53 gan:skhron.org: > Browser Extension

02:04:58 gan:skhron.org: one already should stop at that sentence and think hard about the choices in their life that led to this decision to install a browser extension

05:20:40 BlueyHealer: why tf is a wallet an extension

05:21:43 BlueyHealer: Also this reminds me of the recent case: https://www.bleepingcomputer.com/news/security/ghostposter-attacks-hide-malicious-javascript-in-firefox-addon-logos/.

05:22:46 BlueyHealer: The payload is snuck in inside a .png, and the fetching behavior is inconsistent for harder detection.

05:32:17 lza_menace: You would think these wallet providers which grab hundreds of dependencies would learn to better scan and detect shit like this

05:34:12 gan:skhron.org: Imagine having locked packages and running automatic auditor (probably a moot point)

05:35:04 gan:skhron.org: Le developers can't be bothered to read changelogs, instead everything will be kept on the latest version 🧌

05:52:32 BlueyHealer: I don't know whether it's feasible enough to audit the entirety of your dependencies, though - I guess depends on the scale. A malicious change you'd have to notice yourself, doubt it would be in the changelog.

05:54:45 gan:skhron.org: it'd worth it to actually change versions of packages based off functionality instead of just keeping everything on the latest

05:55:09 gan:skhron.org: and it's possible to audit all dependencies over time

05:56:30 BlueyHealer: I just don't entirely understand whether the scale of it is manageable. In this case, you're auditing just the changes, so I understand the scale even less.

05:57:44 BlueyHealer: Also, with such an approach - how does a package manager handle that if various packages have different versions of the same dependencies? I never thought of that before...

05:58:17 gan:skhron.org: the basic reason to perform audits is to prevent vulnerabilities, we actually have automatic means for checking packages for being in the vulnerable databases

05:58:19 BlueyHealer: Like, sometimes (like with Lua) different versions are differently-named packages, but not always.

05:59:29 BlueyHealer: Yeah, indeed.

06:00:08 gan:skhron.org: BlueyHealer: obviously the highest version based off another dep should be selected, assuming there's no breakage

06:00:36 gan:skhron.org: an example: https://rustsec.org/

06:00:50 gan:skhron.org: to the previous statement above*

06:02:35 BlueyHealer: wdym "based off another dep"?

06:04:46 gan:skhron.org: if there's a dep that requires a specific version of the dep that happened to be higher and another packages demands the lower one, assuming there's no breakage - the highest one should be selected

06:14:41 BlueyHealer: But that could cause breakage in the one that depends on lower, no?

06:23:13 gan:skhron.org: that depends

06:26:47 gan:skhron.org: sometimes - yeah, therefore it'd be reasonable to use multiple versions assuming the lower one won't have any vulnerability