SlowMist
SlowMist|7月 01, 2026 08:47
🚨 SlowMist TI Alert 🚨 MistEye has detected a coordinated malicious npm supply-chain campaign using fake trading-bot repositories and DeFi-themed npm packages to deliver JavaScript infostealers targeting npm users, DeFi developers, and trading-bot users. The campaign involves 30 malicious npm packages, including stake-math@3.5.4, which appears as a locked dependency in donoaccestag/forex-mt5-trading-bot. The repository shows clear abnormal signals: it depends on a security-reported malicious npm package and has around 2.3k highly homogeneous, likely batch-generated forks, with most concentrated under the poly-stocks account. Potential attacker actions include exfiltrating local sensitive data, such as crypto wallet vaults, browser cookies, saved passwords, browsing history, developer credentials, shell history, password manager vaults, private keys, mnemonic phrases, and API tokens discovered in source code. Developers should immediately remove affected npm packages, audit package.json / package-lock.json and CI logs for any of the 30 malicious packages, treat systems that ran npm install as potentially compromised, rotate exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild impacted environments from clean images. Special thanks to @safedepio for the excellent discovery. As always, stay vigilant! https://enterprise.misteye.io/threat-intelligence/SM-2026-780174
+3
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads