According to SlowMist, MistEye detected a cross-registry supply chain attack targeting developers. Attackers distributed malicious packages via npm, PyPI, and Crates.io. The campaign involved over 34 malicious packages and over 384 related versions, targeting communities including crypto, DeFi, Odaily, Sui/Move, and AI developers.
Potential attacker actions include stealing encrypted wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and developer keys. Some payloads also attempt to achieve persistence via cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH.
SlowMist recommends immediately removing affected packages, isolating affected systems, preserving logs, rotating exposure credentials, rebuilding the CI runner and developer machines from clean images, and reviewing GitHub, cloud, SSH, and wallet activity.
