According to BlockBeats, on May 25th, SlowMist reported that security firm MistEye detected a cross-registry supply chain attack. Attackers targeted developers in the cryptocurrency, DeFi, Solana, Sui/Move, and AI sectors by distributing malware packages to npm, PyPI, and crates.io. The campaign included over 34 malware packages and over 384 related versions.
Attackers may steal cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and confidential developer information. Some malicious payloads also attempt to achieve persistent persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH.
Developers are advised to immediately remove the affected packages, isolate the affected systems, retain logs, rotate exposed credentials, rebuild the CI runtime environment and developer machines from a clean image, and review GitHub, cloud service, SSH, and wallet activity logs.
