BlockThreat - Week 17, 2025

Peter Kacherginsky

29 Apr 2025 • 6 min read

Greetings!

Almost $9M was stolen this week across 14 incidents! We saw price oracle manipulation, key theft, precision loss, arbitrary external calls, and even the rarer storage manipulation vulnerabilities—all making an appearance.

But let’s focus on a ticking time bomb: the rise in supply chain attacks. These are becoming disturbingly frequent and have the potential to wreck the entire ecosystem. This week, it was Ripple’s turn. The xrpl.js Node package was backdoored by what appears to be a compromised employee. Fortunately, the change was caught early and flagged by Aikido.

Last month, Coinbase’s Agent Kit repo was similarly targeted through a compromised contributor who inserted key-stealing code. In December 2024, Solana’s NPM library was backdoored. We may feel lucky that damage was limited in those cases—but tell that to AdsPower users who lost $4.7M just months ago.

We’ve already witnessed our first >$1B breach due to poor key management practices—Bybit. Unless we begin to seriously lock down our code repositories and dependencies, it’s only a matter of time before another wallet or exchange gets wiped out.

Let’s learn from the infamous XZ Utils/OpenSSH incident, which nearly led to mass compromise of internet-facing servers via a sophisticated supply chain backdoor. Here are some essential controls you should implement now:

Pin dependency versions to prevent silent, backdoored updates.
Continuously monitor and test dependencies using tools like GitHub Dependabot, OSS Review Toolkit, and similar.
Require peer reviews for all commits and deploys.
Harden your CI/CD pipelines with automated tests and anomaly scanning—both in your code and in your dependencies.
Minimize the number of privileged admins who can push packages outside the regular process. Treat them with the same caution as your key-signing infrastructure.

I get it—it’s not the glamorous side of blockchain security. But you must lock down your code repos and dependencies. Starting now!

Speaking of locking things down and staying paranoid, BlockThreat is proud to have a very special sponsor and a friend this week: Opsek. Pablo and Louis are exactly who you should be talking to if you want to tune up not just your operational security—but the most critical, vulnerable layer of your organization: your people.

Is your team safe from sophisticated threat actors?

More than 98% of stolen funds in the Web3 ecosystem are hacked without breaking code but by breaking people. Opsek will train your team to become paranoid, and harden your complete operational security stack.

You are already a target, don't get rekt.

Link: https://opsek.io/

For detailed post-mortems, indicators on this week’s smart contract exploits including Loopscale, BTCM, Term Labs, Impermax, LIFE, Aventa, and others see the premium section below.

Let’s dive into the news!