Attack Overview: Fake Trading Bot Repos and Malicious npm Packages
SlowMist recently issued a security alert disclosing a coordinated supply chain attack targeting the npm ecosystem. The attackers used fake trading bot repositories and DeFi-themed npm packages to inject JavaScript infostealers into target systems. The campaign involved 30 malicious npm packages, with stake-math@3.5.4 appearing as a locked dependency in the donoaccestag/forex-mt5-trading-bot repository. This repository exhibited approximately 2,300 highly homogeneous batch-generated forks, mostly concentrated under the poly-stocks account, indicating an organized automated poisoning operation.
Scope of Stolen Data and Impact on Developers
The malicious packages can exfiltrate a wide range of sensitive data: crypto wallet libraries, browser cookies and saved passwords, browsing history, developer credentials (SSH keys, cloud tokens), shell history, password manager databases, private keys, seed phrases, and API tokens exposed in source code. Once stolen, attackers can directly control victims' crypto assets, login credentials, and infrastructure. Given the widespread use of npm packages in DeFi development, this attack poses a significant threat to DeFi developers, trading bot users, and npm users. SlowMist noted that the attackers specifically targeted these groups to obtain high-value digital assets via supply chain poisoning.
Security Response: Remove Packages, Rotate Credentials, Rebuild Environments
SlowMist recommends developers take the following actions immediately: first, remove the affected npm packages and audit package.json, package-lock.json, and CI logs to verify if any of the 30 malicious packages are present. Second, treat any system where npm install was executed as potentially compromised and rotate all exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens. Finally, rebuild the affected environment from a clean image to ensure complete removal of malicious remnants. This incident once again reminds developers to strengthen verification when introducing third-party dependencies, especially in projects related to DeFi and trading bots.

