If you have ever run FxA servers, please read on. Several FxA servers depended on a version of flatmap-stream that was taken over by an attacker <https://github.com/dominictarr/event-stream/issues/116> and corrupted to steal bitcoin wallets. These repos include:
- fxa-local-dev <https://github.com/mozilla/fxa-local-dev> [1] - fxa-oauth-server <https://github.com/mozilla/fxa-oauth-server/> [2] (pre-Oct 24th) - fxa-auth-server <https://github.com/mozilla/fxa-auth-server/> [3] (post-Oct 24th) - fxa-basket-proxy <https://github.com/mozilla/fxa-basket-proxy/> [4] If you run any of these servers, please stop them now and update to the latest versions. Each repo can be updated by entering their directory and typing: > git checkout -- . > git pull > npm install For fxa-local-dev, type: > git checkout -- . > git pull > npm install > ./scripts/update_all.sh Our current information is that the malicious package was designed to steal bitcoin wallets. If you are running a bitcoin wallet app on the same machine as FxA, check your wallet. Again, this is only necessary if you run any of [1][2][3][4] locally. The Mozilla-hosted Firefox Accounts servers are not affected, and if the Mozilla-hosted servers are the only ones you use, you are not at risk. If you have questions, please email [email protected], or visit the #security channel in IRC or Slack. Thanks, Shane [1] - https://github.com/mozilla/fxa-local-dev [2] - https://github.com/mozilla/fxa-oauth-server/ [3] - https://github.com/mozilla/fxa-auth-server/ [4] - https://github.com/mozilla/fxa-basket-proxy/
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
