BTC $61,816.95 -1.85%
ETH $1,726.26 -1.97%
BNB $565.91 -0.92%
XRP $1.08 -1.52%
SOL $76.90 -2.89%
TRX $0.3285 -0.61%
DOGE $0.0720 -1.19%
ADA $0.1661 -3.63%
BCH $232.53 -2.69%
LINK $7.59 -1.80%
HYPE $67.20 -1.76%
AAVE $87.10 -1.71%
SUI $0.7144 -0.59%
XLM $0.1802 -3.17%
ZEC $456.84 -5.80%
BTC $61,816.95 -1.85%
ETH $1,726.26 -1.97%
BNB $565.91 -0.92%
XRP $1.08 -1.52%
SOL $76.90 -2.89%
TRX $0.3285 -0.61%
DOGE $0.0720 -1.19%
ADA $0.1661 -3.63%
BCH $232.53 -2.69%
LINK $7.59 -1.80%
HYPE $67.20 -1.76%
AAVE $87.10 -1.71%
SUI $0.7144 -0.59%
XLM $0.1802 -3.17%
ZEC $456.84 -5.80%

npm

All
Article
Flash

Security Alert: 30 malicious npm packages disguised as trading bot repositories, targeting the theft of developer keys and mnemonic phrases

SlowMist issued a security alert, detecting a coordinated malicious npm supply chain attack. The attackers utilized fake trading bot repositories and DeFi-themed npm packages to deploy JavaScript information stealers, targeting npm users, DeFi developers, and trading bot users.This attack involved 30 malicious npm packages, among which stake-math@3.5.4 appeared as a locked dependency in the donoaccestag/forex-mt5-trading-bot repository. This repository presented approximately 2300 highly homogeneous bulk-generated forks, mostly concentrated under the poly-stocks account, with signals being exceptionally clear. The sensitive data that attackers could steal is extensive, including cryptocurrency wallet libraries, browser cookies and saved passwords, browsing history, developer credentials, shell history, password manager libraries, private keys, mnemonic phrases, and API tokens exposed in source code.SlowMist recommends that developers immediately remove the affected npm packages, audit package.json and package-lock.json, and check CI logs for any of the 30 malicious packages; consider any system that has executed npm install as potentially compromised, rotate all exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild the affected environment from a clean image.

Slow Fog: Red Hat cloud service npm package suffers from active supply chain attacks, with stolen credentials found in over 300 GitHub repositories

SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.
app_icon
ChainCatcher Building the Web3 world with innovations.