If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published an intern's post about finding cryptographic bugs in the…

Soatok is a blog or publication authored by Soatok Dhole, a security researcher and privacy advocate. Readers can explore articles covering topics such as cryptography, privacy-enhancing technologies, and digital rights. Additionally, they can learn about cybersecurity threats, encryption protocols, and strategies for protecting online privacy.

Dhole Moments

The NPM elliptic package has unpatched cryptographic vulnerabilities discovered in 2024, with an unresponsive maintainer and over 3000 dependent packages. A new shim library called elliptic-to-noble provides a drop-in replacement that uses the more secure noble-curves implementation, allowing projects to quickly migrate away from the vulnerable package without breaking changes. The approach balances ecosystem security with respect for potentially burned-out open source maintainers.

Moving Beyond the NPM elliptic Package