Loading

We'll be right with you, Just tidying up a bit

Didn't know you were coming!!

🐸 Warming up...

📰 News Article
🔍 Search

Security Update: NPM Supply-Chain Incident & FROGEN Status

Hopper Greene ·

Last updated: 9 Sept 2025, 7:46pm (UTC)

What’s going on? I heard there was a hack.

On 8 Sept 2025 (UTC), a maintainer’s npm account was phished and a handful of widely used JavaScript packages briefly shipped malicious updates. The payload targeted browser apps and tried to silently swap crypto recipient or approval addresses right before a user signed a transaction. The affected versions were pulled within hours. This was not an on-chain or exchange hack. It was a front-end software supply-chain issue.

What should I do and not do? Am I safe?

For most users, this is not a reason to panic. Still, good hygiene matters:

Do

  • Prefer hardware-wallet signing and read the address and amount on the device screen before approving.
  • If you used any web dApps on 8–9 Sept, quickly review your recent approvals and allowances and revoke anything you do not recognize.
  • Keep your browser and OS up to date and minimize extensions while transacting.

Don’t

  • Do not rely only on what the web page shows. UI text can be spoofed.
  • Do not paste addresses blindly. If you must paste, compare the first and last characters and verify on-device.
  • Do not interact with sites that have not confirmed they rebuilt if they deployed during the incident window.

Is it safe to use the FROGEN presale? How have we protected customers?

Short answer: Yes, based on our review to date. Here’s why:

  • No risky deploys: We did not build or deploy any new front-end code during the incident window on 8–9 September 2025 (UTC).
  • Assets unchanged: The JS and CSS bundle hashes we serve in production match our last known-good release.
  • Pinned, deterministic builds: Our builds use locked dependencies (package-lock or yarn.lock) and reproducible installs in CI. This prevents surprise version bumps.
  • No remote, mutable scripts: We do not load wallet or analytics code from tag managers or from “latest” CDN URLs that could change without a deploy.
  • Extra checks run: As a precaution we scanned our production bundles for known indicators, and we validated that none of the specifically compromised package versions are present in our dependency tree.

Operational safeguards (ongoing)

  • We maintain a deny-list for the exact bad versions reported and we block them in CI.
  • If risk signals ever rise, we can instantly disable the Buy button and re-enable only after a clean rebuild plus CDN and service-worker purges.
  • We will continue to monitor upstream advisories and update this post if anything materially changes.

What else?

  • How you can stay extra safe:
    • Use a hardware wallet when possible and treat the device screen as the source of truth.
    • For first-time withdrawals or large amounts, do a small test send first.
    • On centralized exchanges, enable withdrawal address whitelists and strong MFA or passkeys

  • See something odd? Tell us.
    If you notice any address mismatches, unexpected approvals, or UI behavior that looks off, report it immediately to at our Discord channel by opening a support ticket!
🗂️ Timeline
🔍 Search
🗂️ Timeline
×

Sign Up

Join Crew Missions for points & rewards

Prefer not to join? Continue as guest

×

Error

×

Confirm Staking

You are about to stake $FGEN.

If you stake for:

24 Months
$FGEN
12 Months
$FGEN

Are you sure you want to let go of that opportunity?