According to security firm SlowMist, on July 1, researchers identified a coordinated npm supply chain attack involving 30 malicious packages disguised as trading bot repositories and DeFi tools. The attack targets npm users, DeFi developers, and trading bot users. One package, stake-math@3.5.4, appeared as a locked dependency in a repository that spawned approximately 2,300 nearly identical forked versions, primarily under the poly-stocks account.
The malicious packages are capable of stealing wallet libraries, browser cookies, saved passwords, browsing history, developer credentials, shell histories, password manager databases, private keys, seed phrases, and API tokens from source code. SlowMist recommended developers immediately remove affected packages and rotate all exposed credentials and keys.