Foresight News|7月 01, 2026 08:56
Slow Mist: Detected malicious supply chain attack activities targeting npm users and DeFi developers
According to SlowMist monitoring, MistEye has detected a coordinated malicious npm supply chain activity that utilizes fake trading robot code libraries and DeFi themed npm packages to deliver JavaScript information theft tools to npm users, DeFi developers, and trading machine users. \This event involves 30 malicious npm packages, including stake-math@3.5.4 The package appears as a locked dependency in the donoacestage/forex-mt5-trading bot. The code repository shows obvious abnormal signals: it relies on malicious npm packages that have been reported by security, and there are about 2300 highly homogeneous, possibly batch generated forks, mainly concentrated under poly stocks accounts. \The behavior of potential attackers includes stealing sensitive local data, such as encrypted wallets, browser cookies, saved passwords, browsing history, developer credentials, shell history, password manager safes, private keys, mnemonics, and API tokens found in source code. Developers should immediately remove the affected npm packages, audit packagejson/package-lockjson and CI logs to search for these 30 malicious packages, consider the system that previously ran npm install as a potential attacker, promptly replace exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild the affected environment from a clean image.
Share To
HotFlash
APP
X
Telegram
CopyLink