BlockBeats News, July 1st, SlowMist issued a security alert, detecting a coordinated malicious npm supply chain attack. The attacker utilized a fake trading bot repository and a DeFi-themed npm package to inject a JavaScript information stealer, targeting npm users, DeFi developers, and trading bot users. This attack involved 30 malicious npm packages, with stake-math@3.5.4 appearing as a pinned dependency in the donoaccestag/forex-mt5-trading-bot repository. The repository exhibited approximately 2300 highly homogenized bulk-generated forks, mostly concentrated under the poly-stocks account, showing clear abnormal signals.
The range of sensitive data the attacker can steal is extensive, including encrypted wallet libraries, browser cookies and saved passwords, browsing history, developer credentials, shell history, password manager libraries, private keys, mnemonics, and API tokens exposed in source code. SlowMist recommends developers immediately remove the affected npm packages, audit whether any of the 30 malicious packages are included in package.json, package-lock.json, or CI logs; consider systems that have executed npm install as potentially compromised, rotate all exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild affected environments from clean images.
