CIAN Security Update: We Are Safe After npm Attack
Summary
CIAN has issued a security update confirming that all of its frontend projects are safe following a recent attack that poisoned the popular npm package "error-ex." Attackers used this vulnerability to redirect MetaMask transactions to malicious addresses, but CIAN's comprehensive audits found no compromised packages in their systems. As an extra precaution, CIAN has locked all package versions, assuring users that their interfaces remain completely safe to use.
Security Update: Cian is Safe
What Happened: The npm package "error-ex" (47M weekly downloads) was poisoned by attackers. Affected websites would redirect MetaMask transactions to hacker addresses using similar-looking addresses to confuse users during signing.
Cian's Status:
- All Safe - Comprehensive audit of our 5 frontend projects found zero compromised packages (checked both direct dependencies and all upstream transitive dependencies)
- Extra Precaution - We've locked all package versions and paused updates until threats clear
Bottom Line: It is completely safe to use all Cian interfaces.
General Security Recommendations:
- Hardware wallet users: Enable clear signing and verify every address digit-by-digit
- Software wallet users: Consider avoiding on-chain transfers temporarily, or at minimum pause updates/usage of suspicious JS packages
- Developers: Immediately check dependency versions and rollback to safe versions or lock dependencies
https://x.com/CIAN_protocol/status/1965288253353025874
Security Update: Cian is Safe
What Happened: The npm package "error-ex" (47M weekly downloads) was poisoned by attackers. Affected websites would redirect MetaMask transactions to hacker addresses using similar-looking addresses to confuse users during signing.
Cian's Status:
X
