🚨 Breaking: 31 npm packages from @RedHat have been compromised. 100,000+ weekly downloads affected. The upstream CI/CD pipeline was compromised, with all packages published via GitHub Actions OIDC. The payload: ⚠️ Reads GitHub Actions runner process memory to extract masked secrets ⚠️ Sweeps credentials across AWS, GCP, Azure, K8s, Vault, and npm ⚠️ Self-propagating worm that republishes backdoored packages using stolen npm tokens, bypassing 2FA ⚠️ Persists on dev machines via Claude Code settings hijack and VS Code task injection ⚠️ Exfiltrates data through GitHub API commits, blending in with normal git operations We have responsibly disclosed the incident to the maintainers. Full technical analysis:

PSA: I now consider *all* of DeFi unsafe. Coding agents are superhuman at finding vulnerabilities, and smart contract security is too asymmetric: defenders need to fix every bug while attackers need just one exploit to steal funds.

🎉 正式宣布！imBack 已成为 @SlowMist_Team 慢雾区生态合作伙伴！ 慢雾（ imBack（ 感谢慢雾安全团队的认可与支持！ #SlowMist# #区块链安全# #CryptoRecovery# #imBack#

🚨 Blockaid detected an ongoing exploit targeting the SquidRouterModule on Ethereum and Base. 86 Gnosis Safes drained for ~$3M in ~2 hours. All stolen tokens swapped to DAI via attacker-controlled Uniswap V3 pools. More details in 🧵

Some of my perspective on where the @ethereumfndn is going. First of all, this is only my own view. The board is not just me, and I have no extra special powers on the board that the other board members do not. @aerugoettinea is the one executing much of this transition. My input has been largely on technical questions. The board is in the process of expanding, and my own power within the org will continue to decrease, which is honestly what I want. The 2025 era brought many important improvements to EF and its ability to execute. Many issues were resolved, and EF continues to benefit from its improved efficiency and greater focus on concrete goals to this day. And so with those problems resolved, early this year, the largest remaining hole that I perceived was something different nagging at me: I would regularly spot people saying things like "vitalik says these beautiful things about ethereum needing to be decentralized, and have privacy, and be a sanctuary technology, but why do the EF's actions not reflect that?" Now, you may have been hearing something different. You may not have been sensing a feeling of crisis at all, and maybe were hearing people saying that finally we were taking execution and BD seriously and the main task for us is to keep going that way and be even better and faster. Then probably there is genuine difference between you and me, in what kinds of criticism I take most seriously, and what kinds of critics through their criticism are most able to make me feel pain. As an analogy, let's briefly switch over to a different domain. One belief you can have about Google is that it is a success story, and has brought a lot of good to humanity in organizing the world's information. Another belief you can have about Google is that they had a beautiful idealistic beginning, but at some point the corruption of mainstream corporate attitudes seeped in, and they slowly bit by bit completely abandoned the "don't be evil" slogan. My belief on Google specifically is probably somewhere between the two. BUT, if you had taken me back in time to ~2008, and offered me a button to press to make Google one or two standard deviations more "dogmatic", eg. give Richard Stallman permanent veto power over some key policies, I would immediately press it. Why? Because a choice for one company is not a choice for the world, or even one country. Google existed and exists in the context of a technology industry generally drifting away from early idealistic don't-be-evil roots and toward greed for financial gain, totalizing visions of accelerated superintelligence, infiltration by sociopaths, and craven capitulation to (or worse, active participation in) government pressure for ideological control, surveillance and war. And so *one company* doing something different, positioning itself to be what George Bernard Shaw calls the Unreasonable Man, resisting the trend of the times, would have been better for freedom, balance of power and stability of society as a whole, than *all* large companies bending to dominant trends. This is a part of my version of pluralism. This line of thinking is not just mine, but I also is not too far off from what Aya and others had in mind with the Mandate. Now how does this all get to the role of the EF? EF is not a "center of Ethereum", rather EF is "one node, with a defined purpose, alongside other nodes". We've always said that the EF should be the latter, but many in the Ethereum ecosystem (and even within the EF) wanted us to be the former. Now, we are taking action to ensure that we will be the latter. This is particularly important because EF is a limited organization, with limited resources and limited organizational capacity. The EF has only ~0.16% of all ETH (less than many other individual ETH holders), whereas among other blockchains it's common for "the central foundation" to have 10-50%. Fiscally, the EF was originally designed to fulfill a limited work scope defined in the token sale docs and other pre-launch materials (building the chain software; getting through Frontier, Homestead, Metropolis, Serenity), which was fully completed in 2022; it was not designed to be an eternal steward. And so today, the EF is choosing to use its remaining resources to pursue longevity over breadth (yes, this means we sell less ETH). The EF focuses *specifically* on those activities critical to the success of ethereum as a censorship/capture-resistant, open, private and secure system, that would not happen otherwise. This means making hard choices, and in some cases even activities that we highly approve of and people that we highly respect becoming outside of the EF. People of great technical talent, public respect and even alignment with the mission and CROPS being outside of the EF is in fact necessary if we want important tasks to be able to attract outside capital. This also means the EF taking opinionated stands culturally. This is all intended in cooperation with all other parts of ethereum. We recognize that many other parts of the ethereum world highly respect CROPS and related values. But highly respecting is not the same as choosing to specialize and totally dedicate to a domain (Compare in a different domain: I think reducing animal cruelty is important, and I like vegan food, but am not full unconditional vegan myself) EF is still in a transition period, and we expect its new long-term form to stabilize over the next few months. What are the guiding principles of this new form? Again, I am only one person, but I can give my answer from a technical perspective (there are also critical non-technical aspects). At the core, *Ethereum must be impressive*. We are living in an age of highly intelligent AI and all kinds of other technological acceleration. "Status quo EVM, with a hard fork or two a year to optimize for short-term needs of users" is not interesting. To some, "impressive" means: 250ms latency and 1M TPS. I think Ethereum trying to go that route is a mistake. Being as fast and as scalable as possible, and only a small epsilon more decentralized than the others, is a route to mediocrity, and if we try it we will lose. I think Ethereum should scale. But I think Ethereum should strive the hardest to be deeply impressive in a different dimension: the CROPS dimension. This means things like: * Provably bug-free Ethereum. This is a goal that all cybersecurity researchers would have thought is absurd and impossible, up until roughly 6 months ago. Now, it's on the cusp of being possible, thanks to AI-assisted formal verification. So we should be frontrunners in doing this. * Available chain consensus. Ethereum is, and with lean consensus will cotninue to be, the ONLY chain that has both (i) traditional-BFT style properties that it's safe under asynchrony up to a high level of fault tolerance, and (ii) the bitcoin PoW-style property that under synchrony it's safe up to 49% attackers. As far as I can tell, literally no other chain has this or is planning for it; bitcoin goes for (ii) only and most other chains go for (i) only. Some will remember I fought hard for this, Unreasonably insisting that it is not OK for ethereum to rely on social consensus and hard forks to rescue ethereum from 34% of nodes going offline. It's OK for chains like hyperledger, bnb, solana, tempo, etc. It's not OK for bitcoin or ethereum or eg. zcash. * Intermediary minimization. The fact that smart contract wallets, protocols like railgun, etc have to send transactions through intermediaries to get included onchain is honestly embarrassing, and it's a constant point of fragility. Hence the work on FOCIL and EIP-8141 (and 7701 and years of work before) to make transaction sending intermediary-minimized with public mempool and strong inclusion properties, in a truly general-purpose way, that covers not just eg. secp256r1, but also privacy protocols and much more. Kohaku is pushing intermediary minimization at the user layer, pulling Ethereum away from the dystopian status quo world where our wallets don't even verify the chain, send our private data out to a dozen third-party servers, and toward a brighter CROPS future. Some of these goals are Unreasonable - maybe Ethereum would be "fine" getting only 50% of the way - what if we depend on intermediaries, but make it easy to switch? But going 50% of the way would not make Ethereum Deeply Impressive in the CROPS way. So we push for 100%. Fortunately all these goals are compatible with high TPS, this is a major focus of research (esp. on scaling the state). Well-designed L2s can also help, especially L2s optimized for specific applications (eg. high-volume trading, privacy...). These goals are even compatible with significantly lower slot times, thanks to Raul's work on erasure-coded P2P, and many other optimizations. The most high-value "product" of the ethereum blockchain, financially speaking, is ETH the asset. Ethereum secures $250 billion of ETH. The types of properties of Ethereum that I mentioned above are very good for ETH the asset. Nearly 90% of my net worth is in ETH, and most of the remainder is ~$40m of onchain fiat of which every dollar has already been allocated for some open-source biotech or software or hardware initiative. That said, there are aspects of supporting ETH the asset - *necessary* aspects even - that are outside the scope of the EF. This is where we need other heroes (some of whom hold more ETH than the EF does) to step in and help. EF has been recently thinking more about how it will relate to other such organizations, and give them needed initial support. EF will be a smaller ship than in previous years, a more opinionated one - in some cases more opinionated in ways that might be difficult to comprehend - but a longer-lasting one, and one suited to making sure that ethereum brings something meaningful to the world. We are grateful to all those inside and outside the EF who are helping to make this happen.

No polymarket or UMA contracts have been exploited. All user funds are safe, and using is safe, so business as usual. We had a 6-year-old private key that was compromised. This was in the internal top-up config, which is why funds were being sent to it. We have rotated this key, revoked all prod permissions and are moving all PKs to KMS keys from now on.

负薪者冻毙于途，卖浆者渴死于道。织锦者身着粗布，种粮者食不果腹 今天和一个OG见完面之后，这四句话跃然纸上，也是无数仍然活跃在 Web3 一线的从业者的心声。我转发了一年多前我作为吹哨人给行业写的推，虽然预测对了结果，但这不是任何从业者想要的结果。没有人想过这件事会发生。但它正在发生。没有人愿意发声。所以我来斗胆发声。 引子 这周在上海，去了 Sun 在虹桥做的 MuShanghai。 整整一个月的活动，分了 4 个主题周——biotech、AI、culture、robotics。全球 2000 多人报名，最后筛了 800 多人到现场，从 Stanford 创业者，到前 OpenAI 工程师、YC、HF0、Frontier Tower 的 Jacob。Sun 和 Sunny 三个人加上一个二十人的志愿者组，干了一件全中国可能只有他们能干的事——把签证、国际网络、政府关系全部打通，做出了一个真正意义上的 global gateway。光这一点，已经值得行业每一个人给他们鼓掌。这是从 crypto 社区走向多元化社区最成功的一个团队。 但走完几圈，我心里的感受是复杂的。现场接近一半的参会者是 crypto 背景的人。他们身上贴的新标签是 biotech founder、AI agent builder、robotics 创业者、文化策展人。有些人是真的在探索下一段旅程，有些人是在体面地准备离开 crypto。这是这个行业的人正在展开的一场伟大的自救——以一种我从来没见过的方式。 正文 1/ 这两年我比任何时候都更悲观，但也比任何时候更不愿意放弃 最近见了很多人，听了很多事。这个行业的问题已经不是熊市的问题，是整个生态系统的正反馈机制坏了。 我把这些零散的观察、对话、反思整理出来。不是吐槽，是希望更多人一起把这件事扛起来。 2/ "小概率坏事件"正在批量发生 我最近在读概率论。我们这些老人都习惯用周期去理解市场——上个周期有 alt season，这个周期也会有。但今年所有原本被低估的小概率事件正在同时发生： 中国 Web3 大开发者，50–60% 流向了 AI。走的人基本不会再回来 几千个项目融了上百亿美金，没几个真正出圈的应用 华尔街、特朗普、主权基金把比特币拿走，原生 builder 的位置越来越窄 美国基金募资发展蓬勃，亚洲生态系统遇到生存危机，创业者流血上币离场，投资人退场 不是周期没来，是这一代周期的剧本和过去完全不同了。 3/ 关于以太坊：我不悲观，但我担心 以太坊的改革已经到了刻不容缓的时候。 过去最好的几个时间窗口——21 年的牛市、22 年的转折——本来是推动应用创新、做出超级应用的最佳时机，行业内最大的注意力、最多的钱、最优秀的人才都聚集在那个窗口里。但当时的方向押在了 ZK、L2 这些技术叙事上。技术方向本身没有错，错的是在大众市场最该出现大众产品的时间点上，把所有的资源堆到了小众的方向。 现在到了熊市，再想推一个超级应用出来，比那两年难十倍。 以太坊价格的疲软，本质上是整个 Web3 的疲软。因为以太坊承载了行业最多的资本、最多的人才、最多的注意力。它能不能再次起来，关乎几百万从业者的未来。 4/ Vitalik 可能正生活在一个巨大的信息茧房里 我最近一个很强的感受是：围绕 Vitalik 的人，大多不敢直接告诉他行业有多艰难、以太坊真实的困境在哪里。 利益寻租的群体越来越多，小圈子和圈层文化越来越严重。新的方向、新的机会出来，往往沿着原有那个圈子的纽带向外延伸。普通社区、普通从业者，很难有机会和 Vitalik 正常交流、反馈意见。社区的不满和抱怨被层层过滤，被拒之门外。 这不是某个人的错。是一个组织在快速膨胀到 200+ 人之后，反馈机制没有跟上。但温水煮青蛙的代价，最后会落在每一个还在这个生态里 build 的人身上。 5/ 从业者没有正反馈，社会和下一代似乎都不认可 这是这一代从业者最真实的共同处境，跨越地理： 中国，行业被定位为灰产，常常和传销绑在一起；香港，因为一连串交易所跑路事件，从业者默认被当骗子；新加坡，crypto 被认为是不入流的行业；美国，相比 AI 创业者，crypto 从业者几乎没有社交身份。 我听到从业者说他上高中的孩子不愿意学钱包私钥，认为他父亲做的事业拿不上台面。许多创始人作为家长不敢在学校家长会说自己做什么。下一代根本不觉得这是一个值得参与的事业。 当一个行业连"我从事它"这件事都说不出口，它的接班人问题就不再是抽象的，是迫在眉睫的。 6/ 接班人问题正在到来 以太坊第一代核心开发者大多组建了家庭、有了孩子。这是非常自然的人生阶段，没办法像十年前那样一天写十几个小时的代码。 但下一代在哪里？ 我们尝试过：高校的研究生博士生、Web2 大厂的工程师、早期社区的极客。可是在 AI 这么蓬勃的时代，我们拿什么留住他们？比特大陆和字节当年同时招应届生，薪资差不多——10 年后股权回报差了几千万。这一代年轻人看着上一代的结局，凭什么会选 crypto 而不是 AI？ 而且我们不只是要留住下一代，还要和 AI 直接抢人才。Solana、以太坊、AI 实验室、机器人公司在同一个池子里捞人。crypto 一线项目给的 package 已经很难再有竞争力。 接班人不会自己长出来。它需要系统性的培养：crypto school、研究 grant、开发者基金、长期 mentor 机制。Paradigm、a16z、AllianceDAO、ResearchHub 在做。中文区也必须有人做。 7/ 对 Vitalik 的一点期待 我想用鼓励的方式说这件事，因为攻击没意义。 Vitalik 是这个行业最有影响力的创业者。他不只是首席科学家，他是行业方向的灯塔。在以太坊最关键的转型期，他需要重新回归创业一线。不是回到 2014 年的他，是带着这些年的反思、回归创业初心的他。 熊市是最适合 build 出下一代产品的时机。他需要把核心开发者、社区、第二代年轻人重新凝聚起来，一起朝着下一个 10 年迈进。 他周围必须有能直接告诉他真实情况的人。 8/ 中美 OG 的分岔：生态系统的造血能力 去年我写过《不要让赌场吞噬大教堂》，对比过这两条路径。今天必须再说一次： 中国创业团队的融资环境极其严峻。亚洲市场化基金 90% 处于水深火热。这意味着亚洲 Web3 生态没有造血能力。一旦顶尖的几支基金撑不住，整个生态系统就会塌方。 中美 OG 在拿到行业第一桶金之后的选择差异，今天看格外刺眼。美国的 OG 大多还在建设——Rune、Hayden、胡安这一批人，是在持续把财富回投到生态。中国的 OG，大多数赚到钱之后选择套现离场，一部分转去投资 AI，更少的人在做真正的下一代建设。 这不是道德指责。我希望中国 OG 在得到行业恩惠之后，能够回头帮助新一代年轻人。建立一个完善的生态系统、形成正反馈循环，是这个行业活下去的唯一方式。 9/ 从业者怎么活下来 大部分web3公司和机构会在接下来AI浪潮和悲观行情下继续裁员30%以上，因此活下来比什么都重要。 讲完体系问题，回到个人。我自己也在这个泥潭里，所以我想分享几点。 找到合理性。 你为什么还在这里？不是为了 token 价格，不是为了 KOL 流量。是因为你相信这件事，是因为你过去得到过这个行业的恩惠，是因为你的团队和投资人需要你。把这个"为什么"想清楚，剩下的事会有方向。 让工作和生活充实。 行业的低气压会渗透到每一天的情绪。不要让 token 价格定义你的自我价值。多读书、多见线下的朋友、多花时间陪家人、做一些和市场无关的事情。这是熊市最重要的功课。 直面困难，但别让失望发酵成放弃。 现在社区的情绪不是"危机感"，是"失望"。这两个词的区别是——危机感意味着想改变，失望意味着想放弃。要努力让自己留在前者。 学新东西。 我自己也在学 AI。这周在 MuShanghai 看到那么多 crypto 从业者贴上新标签去探索 biotech、AI、robotics，我心里其实是感动的。能力到了我们就能选，能力不到只能被选。Web3 仍然是 IOSG 最重要的业务，我们不会放弃。当然这不影响我用AI来武装和提高我们的工作流和加强我们的武器。 找到自己的小联盟和信心小团体。 5、6 位/家经过历史验证、风格成熟的朋友/机构深度结盟。教育、资金、人才网络，缺什么补什么。自救比等救世主重要。 学会和自己和解。 这一点我自己也还在练习。这个市场没有奖励那些做正确事情的人，奖励了一批骗子，奖励了一批投机者。这个事实是真的。但你做这件事的意义，不应该被市场定价。允许自己在熊市里失败、允许自己情绪低落、允许自己做一些"看起来没有产出"的事情。这不是放弃，是为下一段旅程蓄力。 10/ 我们需要更多灯塔 行业最缺的不是钱，不是技术，是灯塔。 不是只有 Vitalik 一个人需要做灯塔。每一个还留在这里、还相信这件事的人，都可以成为灯塔——给一个困惑的年轻 founder 三十分钟、给一个 runway 见底的团队一份 grant、给一个被裁员的工程师一份 referral、写一篇真诚的反思而不是华丽的 narrative。 每一束光照得不远。但加在一起，就是黑暗中那些还在前行的人不放弃的理由。 像 Sun 这样的人在做。像老胡这样的人在每个月默默给一笔钱支持那些非主流的探索。每一个人都在自己能做的事上努力着。 11/ 写给每个看到这条内容的人 如果你是 OG：行业给过你的，请回头给一份给下一代。不是几百万的大手笔，是一个 mailing list、一份 referral、一笔直接打给市场化基金管理人、一份给到困境创业者的 EIR 资助。年轻一代需要的是相信"build 这件事还值得做"。 如果你是 founder：不要孤军奋战。把真实处境告诉值得信任的人。 如果你是 builder/researcher：继续 build。不是用爱发电的那种 build，是把自己的劳动换成应得回报的那种 build。让下一代相信这件事在职业意义上仍然成立。 12/ 收尾 请每一个看到这条内容的人，把它转发给你认识的 OG。让他们去照亮别人。别忘记这个行业过去给他们带来的恩惠。 呼吁更多的 OG 和行业领袖找回责任感，为行业发声，资助更多创业者，让下一代有机会继续建设 Web3——不止是用爱发电。 赌场吞不吞噬大教堂，不是 Vitalik 一个人的事，不是 EF 一个组织的事。是我们每一个还留在这里的人共同的事。 很多人问我这个周期他们如何熬下去，所有的压力推着他们离场，很多时候选择就是一步之遥，许多年轻人需要一个老OG告诉他们如何熬过熊市。但我知道，如果我们这一代人不站出来，那么下一代根本不会有“站出来”的选项。 做点是点。 写于Fig&Olive

Anthropic's terrible safety situation is making it so that I cannot have Opus review p0 issues in Hermes Agent to review and help fix security issues. This does nothing but give hackers an asymmetric advantage over everyone - they will find jailbreaks, they will find ways around this to exploit systems - and the rest of us are locked out of using AI to protect from them. What a joke

MAP Protocol (@MapProtocol)'s token got exploited on mainnet, infinite mint. Mint on Mainnet: Mint on BSC: Exploiter earned 52.2 ETH ($110k) so far: Whatever that is.

We are investigating unauthorized access to GitHub’s internal repositories. While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity.