Name of the Vulnerable Software and Affected Versions: @nfid/embed SDK versions prior to 0.10.1-alpha.6 @dfinity/auth-client versions prior to 1.0.1 @dfinity/identity versions prior to 1.0.1

Description: The issue affects user sessions in the @nfid/embed SDK that utilize Ed25519 keys, due to a compromised private key. This exposes users to potential loss of funds on ledgers and unauthorized access to canisters they control. The problem originated from the DFINITY auth client library, specifically the Ed25519KeyIdentity.generate function, which includes an optional parameter for a 32-byte seed value. If no seed value is provided, the library is expected to generate the secret key using secure randomness. However, a recent update compromised this assurance by employing an insecure seed for key pair generation.

Recommendations: For @nfid/embed SDK versions prior to 0.10.1-alpha.6, update to version 0.10.1-alpha.6 or later. For @dfinity/auth-client versions prior to 1.0.1, update to version 1.0.1 or later. For @dfinity/identity versions prior to 1.0.1, update to version 1.0.1 or later. As a temporary workaround, consider re-authenticating user sessions to automatically fix the issue.