SlowMist Security Alert: npm Supply Chain Attack Uses Fake Trading Bot Repos to Deploy 30 Malicious Packages Stealing Wallet Private Keys and Seed Phrases

SlowMist Security Alert: npm Supply Chain Attack Uses Fake Trading Bot Repos to Deploy 30 Malicious Packages Stealing Wallet Private Keys and Seed Phrases

A
AI News Editor
2026-07-01 12:31:27
SlowMist has issued a security alert regarding a coordinated malicious npm supply chain attack. Attackers leveraged fake trading bot repositories and DeFi-themed npm packages to distribute JavaScript infostealers, involving 30 malicious packages. Among them, stake-math@3.5.4 was locked as a dependency in the donoaccestag/forex-mt5-trading-bot repository, which has approximately 2,300 highly homogeneous batch-generated forks concentrated under the poly-stocks account. The stolen data includes crypto wallet libraries, browser cookies and passwords, browsing history, developer credentials, shell history, password manager databases, private keys, seed phrases, and exposed API tokens. SlowMist recommends developers immediately remove affected packages, rotate all exposed credentials, and rebuild environments from clean images.
npm supply chain attackmalicious packagesstake-mathSlowMist security alertJavaScript infostealerDeFi securitytrading bot repositorypassword manager

Attack Overview: Fake Trading Bot Repos and Malicious npm Packages

SlowMist recently issued a security alert disclosing a coordinated supply chain attack targeting the npm ecosystem. The attackers used fake trading bot repositories and DeFi-themed npm packages to inject JavaScript infostealers into target systems. The campaign involved 30 malicious npm packages, with stake-math@3.5.4 appearing as a locked dependency in the donoaccestag/forex-mt5-trading-bot repository. This repository exhibited approximately 2,300 highly homogeneous batch-generated forks, mostly concentrated under the poly-stocks account, indicating an organized automated poisoning operation.

Scope of Stolen Data and Impact on Developers

The malicious packages can exfiltrate a wide range of sensitive data: crypto wallet libraries, browser cookies and saved passwords, browsing history, developer credentials (SSH keys, cloud tokens), shell history, password manager databases, private keys, seed phrases, and API tokens exposed in source code. Once stolen, attackers can directly control victims' crypto assets, login credentials, and infrastructure. Given the widespread use of npm packages in DeFi development, this attack poses a significant threat to DeFi developers, trading bot users, and npm users. SlowMist noted that the attackers specifically targeted these groups to obtain high-value digital assets via supply chain poisoning.

Security Response: Remove Packages, Rotate Credentials, Rebuild Environments

SlowMist recommends developers take the following actions immediately: first, remove the affected npm packages and audit package.json, package-lock.json, and CI logs to verify if any of the 30 malicious packages are present. Second, treat any system where npm install was executed as potentially compromised and rotate all exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens. Finally, rebuild the affected environment from a clean image to ensure complete removal of malicious remnants. This incident once again reminds developers to strengthen verification when introducing third-party dependencies, especially in projects related to DeFi and trading bots.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
800

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.