Miladymaker.net injected in provider setup (CORS error)

[ivelin]

Ethers Version

5.6.9

Search Terms

Milady, Miladymaker

Describe the Problem

In gitpod dev environment I started noticing a CORS error that traces back to initializing ethers providers. It is not clear whether it comes from rainbowkit or wagmi during ethers initialization. I could not find a reference to this milady error by simple google search. Maybe a more sophisticated injection in a dependency library.

Is miladymaker supposed to be part of any default ethers providers initialization or this is a malicious lib attack?

This is the source repo of the project using ethers (via wagmi, rainbowkit) where this issue was spotted:
https://github.com/ivelin/sweat-token

To reproduce, open this gitpod url, and go to the web app on port 3000.
https://gitpod.io/#https://github.com/ivelin/sweat-token

Console dev screenshots attached:

Code Snippet

No response

Contract ABI

No response

Errors

No response

Environment

node.js (v12 or newer), Browser (Chrome, Safari, etc)

Environment (Other)

No response

[ricmoo]

Ethers does not use any library or url with milady; it must be something to do with other parts of the application or another library.

[ricmoo]

(if you look at your rolled up code, it should be easier to search for the url and see which library it is coming from)

[ricmoo]

Looking at http://www.miladymaker.net/, my guess is one of your packages uses it to look up a PFP or related data.

[ivelin]

That was my initial reaction. We do not show pfps in the app yet and searching in the code including node_modules does not turn up miladymaker.net. That is what made me think it might be intentionally obfuscated. Will keep looking.

[ricmoo]

Thanks, please do, because it does seem a bit weird.