SlowMist Warns of npm Supply Chain Attack Targeting DeFi Developers with 30 Malicious Packages Stealing Private Keys and Seed Phrases

SlowMist Warns of npm Supply Chain Attack Targeting DeFi Developers with 30 Malicious Packages Stealing Private Keys and Seed Phrases

N
News Editor
2026-07-01 10:31:33
慢雾SlowMist发布安全警报,发现一场协同恶意npm供应链攻击。攻击者通过虚假交易机器人仓库和DeFi主题npm包分发JavaScript信息窃取器,涉及30个恶意包,其中stake-math@3.5.4作为锁定依赖出现在约2300个高度同质化的GitHub分叉中。攻击可窃取加密钱包库、私钥、助记词、浏览器Cookie、开发者凭据等敏感数据。慢雾建议立即移除受影响包、轮换所有凭据并从干净镜像重建环境。
npm supply chain attackSlowMistsecurity alertDeFi developersinformation stealermalicious packagesprivate key leaktrading bot

Attack Overview: Fake Trading Bot Repos and Malicious npm Packages

On July 1, blockchain security firm SlowMist issued an urgent security alert regarding a coordinated malicious npm supply chain attack. Attackers leveraged fake trading bot GitHub repositories and DeFi-themed npm packages to distribute JavaScript information stealers. The campaign targets npm users, DeFi developers, and trading bot operators. The attack involves 30 malicious npm packages, with stake-math@3.5.4 appearing as a locked dependency in the repository donoaccestag/forex-mt5-trading-bot. Notably, this repository has spawned approximately 2,300 highly homogeneous batch-generated forks, mostly under the poly-stocks account, signaling an unusually clear attack pattern.

Scope of Theft: From Wallet Keys to Developer Credentials

The implanted stealer is capable of exfiltrating a wide range of sensitive data. According to SlowMist's analysis, compromised data includes: crypto wallet libraries, browser cookies and saved passwords, browsing history, developer credentials, shell history, password manager databases, private keys, seed phrases, and API tokens exposed in source code. This comprehensive collection scope means that once a developer installs an affected package, nearly their entire digital identity and assets are at risk of exposure.

Response & Mitigation: Immediate Actions to Reduce Risk

In response to this attack, SlowMist recommends developers take the following actions immediately:

  • Remove all affected npm packages, and audit package.json, package-lock.json, and CI logs for any of the 30 malicious packages.
  • Treat any system that executed npm install as potentially compromised.
  • Rotate all potentially exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens.
  • Recreate affected environments from a clean image.
Given the widespread use of the npm ecosystem in crypto development, such supply chain attacks pose a severe threat to DeFi projects. Developers should remain vigilant, thoroughly vet third-party dependencies, and conduct regular security audits.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
800

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.