Attack Overview: Fake Trading Bot Repos and Malicious npm Packages
On July 1, blockchain security firm SlowMist issued an urgent security alert regarding a coordinated malicious npm supply chain attack. Attackers leveraged fake trading bot GitHub repositories and DeFi-themed npm packages to distribute JavaScript information stealers. The campaign targets npm users, DeFi developers, and trading bot operators. The attack involves 30 malicious npm packages, with stake-math@3.5.4 appearing as a locked dependency in the repository donoaccestag/forex-mt5-trading-bot. Notably, this repository has spawned approximately 2,300 highly homogeneous batch-generated forks, mostly under the poly-stocks account, signaling an unusually clear attack pattern.
Scope of Theft: From Wallet Keys to Developer Credentials
The implanted stealer is capable of exfiltrating a wide range of sensitive data. According to SlowMist's analysis, compromised data includes: crypto wallet libraries, browser cookies and saved passwords, browsing history, developer credentials, shell history, password manager databases, private keys, seed phrases, and API tokens exposed in source code. This comprehensive collection scope means that once a developer installs an affected package, nearly their entire digital identity and assets are at risk of exposure.
Response & Mitigation: Immediate Actions to Reduce Risk
In response to this attack, SlowMist recommends developers take the following actions immediately:
- Remove all affected npm packages, and audit
package.json,package-lock.json, and CI logs for any of the 30 malicious packages. - Treat any system that executed
npm installas potentially compromised. - Rotate all potentially exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens.
- Recreate affected environments from a clean image.

