SlowMist: Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers

BlockBeats News, May 25th, according to PeckShield, a security firm, MistEye detected a cross-registry supply chain attack where the attacker published malicious packages to npm, PyPI, and crates.io targeting developers in the cryptocurrency, DeFi, Solana, Sui/Move, and AI fields. This attack campaign involved 34 or more malicious packages and over 384 related versions.

The attacker could steal cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and developer secrets. Some malicious payloads also attempted to achieve persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH.

Developers are advised to immediately remove the affected packages, isolate affected systems, retain logs, rotate exposed credentials, rebuild CI environments and developer machines from clean images, and review GitHub, cloud service, SSH, and wallet activity logs.