π Largest Supply Chain Attack Targets JavaScript Libraries, Threatens Crypto Security
#SupplyChainAttack #JavaScript #NPM #CryptoSecurity #CryptoClipper #WalletSecurity #HardwareWallet #SeedPhrase #Chalk #StripAnsi #ColorConvert #Cybersecurity #Malware
According to Cointelegraph, a significant supply chain attack has compromised widely used JavaScript software libraries, marking what is being described as the largest incident of its kind in history. The injected malware is reportedly designed to steal cryptocurrency by swapping wallet addresses and intercepting transactions. Reports indicate that hackers infiltrated the node package manager (NPM) account of a prominent developer, secretly embedding malware into popular JavaScript libraries utilized by millions of applications.
The malicious code is capable of hijacking or swapping cryptocurrency wallet addresses, thereby putting billions of downloads' worth of projects at risk. The breach specifically targeted packages such as chalk, strip-ansi, and color-convert, which are small utilities deeply embedded in the dependency trees of numerous projects. These libraries collectively receive over a billion downloads each week, suggesting that even developers who have not directly installed them could be exposed to the threat.
NPM functions as a central repository for developers, akin to an app store, where they can share and download small code packages to construct JavaScript projects. The attackers appear to have deployed a crypto-clipper, a type of malware that discreetly replaces wallet addresses during transactions to divert funds. Security researchers have cautioned that users relying on software wallets may be particularly vulnerable, whereas those who confirm every transaction on a hardware wallet are protected. It remains uncertain whether the malware also attempts to directly steal seed phrases.
This situation is evolving, and additional information will be provided as it becomes available.#SupplyChainAttack #JavaScript #NPM #CryptoSecurity #CryptoClipper #WalletSecurity #HardwareWallet #SeedPhrase #Chalk #StripAnsi #ColorConvert #Cybersecurity #Malware
π HashDit Alerts on Ongoing Supply Chain Attack via Compromised NPM Account
#HashDit #NPM #NPMAccount #SupplyChainAttack #SoftwareSupplyChain #Web3Security #CyberSecurity #SecurityAlert #ThreatIntelligence #DevSecOps
The Web3 security firm HashDit stated on X, βThereβs a large-scale supply chain attack in progress: the NPM account of a reputable developer has been compromised.β The firm highlighted the severity of the situation, urging developers and users to remain vigilant and take necessary precautions to protect their systems from potential threats. This incident underscores the importance of security measures in safeguarding digital platforms and assets.#HashDit #NPM #NPMAccount #SupplyChainAttack #SoftwareSupplyChain #Web3Security #CyberSecurity #SecurityAlert #ThreatIntelligence #DevSecOps
π Ledger CTO Addresses Recent NPM Attack and Supply Chain Threats
#Ledger #NPM #NPMAttack #SupplyChainAttack #Phishing #Ethereum #Solana #HardwareWallets #ClearSigning #TransactionChecks #JavaScript #JavaScriptEcosystem #CryptoSecurity #BlockBeats #LedgerSecurity
According to BlockBeats, Ledger's Chief Technology Officer Charles Guillemet has provided an update on the recent NPM attack, stating that fortunately, the attack was unsuccessful with minimal victims. The attack began with phishing emails disguised as npm support domains, aiming to steal user credentials and allow attackers to publish malicious software package updates. The injected code targeted network encryption activities, infiltrating chains like Ethereum and Solana, hijacking transactions, and replacing wallet addresses directly in network responses. An error by the attackers led to a CI/CD pipeline crash, enabling early detection and limiting the impact.
Guillemet emphasized that this incident serves as a clear reminder of the risks associated with storing funds in software wallets or exchanges, where a single code execution could result in significant losses. Supply chain attacks remain a potent method for spreading malware, with an increasing number of targeted attacks being observed.
Hardware wallets are specifically designed to counter such threats. Features like "clear signing" allow users to accurately verify transaction details, while "transaction checks" can flag suspicious activities before issues arise. Although the immediate danger may have passed, the threat persists, and maintaining security is crucial.
Earlier today, BlockBeats reported a large-scale supply chain attack involving the compromise of a well-known developer's NPM account. The affected package has been downloaded over a billion times, posing a potential risk to the entire JavaScript ecosystem.#Ledger #NPM #NPMAttack #SupplyChainAttack #Phishing #Ethereum #Solana #HardwareWallets #ClearSigning #TransactionChecks #JavaScript #JavaScriptEcosystem #CryptoSecurity #BlockBeats #LedgerSecurity
π DuckDB NPM Account Compromised, Malicious Versions Released
#DuckDB #NPM #AccountCompromised #MaliciousVersions #DuckDBWasm #WalletStealing #SupplyChainAttack #Cybersecurity #PANews #SlowMist
According to PANews, SlowMist Technology's Chief Information Security Officer, 23pds, announced on the X platform that the DuckDB NPM account has been compromised. Early this morning, malicious versions such as duckdb and duckdb-wasm were released. These malicious software versions align with the wallet-stealing malware identified in yesterday's supply chain attack. Users are advised to exercise caution and implement risk prevention measures.#DuckDB #NPM #AccountCompromised #MaliciousVersions #DuckDBWasm #WalletStealing #SupplyChainAttack #Cybersecurity #PANews #SlowMist
π NPM Supply Chain Attack Detected: Malicious Version of Popular Package Released
#NPM #SupplyChainAttack #tinycolor #TruffleHog #MaliciousPackage #PostInstall #InformationStealing #SecurityAlert #LockVersion #Update #SafeVersion
According to PANews, a new attack targeting the NPM supply chain has been detected by Scam Sniffer. The package @ctrl/tinycolor, which has a weekly download rate of 2.2 million, released a malicious version. This version executes an information-stealing program during the post-installation script of npm, aiming to scan and steal sensitive data. The malicious payload exploits the legitimate sensitive information scanning tool, TruffleHog. Users are advised to check if they have downloaded the affected version, halt installation or update operations, and lock the version to a known safe one.#NPM #SupplyChainAttack #tinycolor #TruffleHog #MaliciousPackage #PostInstall #InformationStealing #SecurityAlert #LockVersion #Update #SafeVersion
π HashDit Alerts on NPM Supply Chain Attack Involving Malicious Package
#HashDit #NPM #SupplyChainAttack #MaliciousPackage #CtrlTinycolor #Web3Security #DependencyManagement #SecurityAlert
The Web3 security firm HashDit stated on X, βAnother NPM supply chain attack involving the package '@ctrl/tinycolor' has been identified, with malicious versions being distributed.β The package, which receives 2.2 million weekly downloads, has been compromised to execute unauthorized scripts. Users are advised to review their dependencies and ensure they are using secure versions to prevent potential security breaches.#HashDit #NPM #SupplyChainAttack #MaliciousPackage #CtrlTinycolor #Web3Security #DependencyManagement #SecurityAlert
π Qilin Ransomware Group Targets South Korean IT Firm in Major Data Breach
#QilinRansomware #SouthKorea #DataBreach #CyberAttack #SupplyChainAttack #GJTec #FinancialSector #Bitdefender #APTGroup #MoonstoneSleet #NorthKorea #Russia #CyberSecurity
According to PANews, the Qilin ransomware group has executed a significant supply chain attack on South Korean IT service provider GJTec, resulting in the theft of 2TB of data, including over one million files. This breach has impacted 28 financial companies. Bitdefender's investigation suggests a connection between this operation and the North Korean-backed APT group 'Moonstone Sleet,' which is suspected to be collaborating with the Russian-speaking Qilin organization. The attack appears to be aimed at exerting pressure on the South Korean financial market.#QilinRansomware #SouthKorea #DataBreach #CyberAttack #SupplyChainAttack #GJTec #FinancialSector #Bitdefender #APTGroup #MoonstoneSleet #NorthKorea #Russia #CyberSecurity
π New Variant of NPM Supply Chain Attack Emerges
#NPM #supplychainattack #ShaiHulud #ShaiHulud3.0 #securityalert #SlowMist #developercredentials #cloudkeys #environmentsecrets #AikidoSecurity #CharlieEriksen #cybersecurity #TrustWallet
According to BlockBeats, a security alert has been issued by SlowMist Technology's Chief Information Security Officer, 23pds, regarding a new variant of the NPM supply chain attack known as 'Shai-Hulud 3.0.' Project teams and platforms are advised to take preventive measures. Previously, it was suspected that the Trust Wallet API key leak might have been caused by the Shai-Hulud 2.0 attack.
Shai-Hulud is a series of self-propagating worm-like supply chain attacks targeting the NPM ecosystem, aimed at stealing developer credentials, cloud keys, and environment secrets. The latest variant, referred to by the community as Shai-Hulud 3.0 or the new strain, was discovered on December 28, 2025, by Aikido Security researcher Charlie Eriksen. Currently, its spread is limited, suggesting it may still be in the testing phase.#NPM #supplychainattack #ShaiHulud #ShaiHulud3.0 #securityalert #SlowMist #developercredentials #cloudkeys #environmentsecrets #AikidoSecurity #CharlieEriksen #cybersecurity #TrustWallet
π Security Alert: Malicious Skill 'What Would Elon Do' Identified as Trojan Program
#SecurityAlert #MaliciousSkill #TrojanProgram #WhatWouldElonDo #ClawHub #GoPlus #SSHkeys #Cryptocurrency #BrowserCookies #SupplyChainAttack #OpenClaw #ForesightNews #chiefofautism #MaliciousSkills
A recent report highlights a significant security threat involving the Skill 'What Would Elon Do,' which was once the top download on ClawHub. According to Foresight News, GoPlus monitoring has revealed that this Skill is actually a Trojan program. Attackers manipulated rankings and used bots to increase downloads, leading many users to install the malicious software.
Once installed, the Skill steals users' SSH keys, cryptocurrency wallet private keys, and browser cookies, establishing a reverse shell to the attackers' server. This has resulted in actual asset losses for users. The incident has uncovered a severe new supply chain attack vector within the Skill ecosystem. GoPlus advises users to cease running OpenClaw without protection.
Additionally, chiefofautism has disclosed that the ClawHub marketplace contains 1,184 malicious Skills, with a single attacker responsible for uploading 677 of these harmful packages.#SecurityAlert #MaliciousSkill #TrojanProgram #WhatWouldElonDo #ClawHub #GoPlus #SSHkeys #Cryptocurrency #BrowserCookies #SupplyChainAttack #OpenClaw #ForesightNews #chiefofautism #MaliciousSkills
π Holdstation Faces Supply Chain Attack Resulting in Significant Losses
#supplychainattack #cybersecurity #userfunds #usdt #accountabstraction #maliciouscode #securitybreach #blockchain #bugbounty
Holdstation, a provider of account abstraction solutions, has experienced a supply chain attack, according to ChainCatcher. The attack involved the theft of developer session tokens, allowing the attacker to bypass two-factor authentication and inject malicious code into an application update, leading to the theft of user funds.
The attack resulted in a loss of 462,000 USDT, with the attacker's address identified as 0xcbfA60B39cfAeaE475f649fB6705bD477219bF8d. In response, the Holdstation team has suspended services and pledged to fully compensate affected users. They are collaborating with security teams to investigate the incident and have issued a message on the blockchain, hoping to encourage the attacker to return the funds through a bug bounty program.#supplychainattack #cybersecurity #userfunds #usdt #accountabstraction #maliciouscode #securitybreach #blockchain #bugbounty
π Supply Chain Attack Targets PyPI Package LiteLLM with Malicious Code
#SupplyChainAttack #PyPI #LiteLLM #MaliciousCode #CyberSecurity #DataBreach #CloudSecurity #Kubernetes #CryptoSecurity #CI_CD #DatabaseSecurity
A recent supply chain attack has compromised the PyPI package LiteLLM, which is downloaded approximately 97 million times monthly. According to NS3.AI, the malicious version of the package was designed to steal sensitive information, including SSH keys, cloud credentials, Kubernetes files, git credentials, environment variables, cryptocurrency wallets, SSL private keys, CI/CD keys, and database passwords. The attack was short-lived, as the malicious code was available for less than an hour. A bug in the implant led to developer Callum McMahon's machine running out of memory and crashing, inadvertently revealing the attack.#SupplyChainAttack #PyPI #LiteLLM #MaliciousCode #CyberSecurity #DataBreach #CloudSecurity #Kubernetes #CryptoSecurity #CI_CD #DatabaseSecurity
π Apifox Desktop Client Faces Supply Chain Attack with Malicious Code Injection
#Apifox #DesktopClient #SupplyChainAttack #MaliciousCode #JavaScript #CredentialTheft #SensitiveDataExposure #RemoteCommandExecution #SecurityBreach #SlowMist #CyberSecurity #APILogs #TokenRevoke #PasswordReset #APIReview
Apifox's desktop client has been targeted in a supply chain attack, according to PANews. The official CDN-hosted front-end script files were injected with highly obfuscated malicious JavaScript code. Users affected by this breach may face risks such as credential theft, sensitive data exposure, and remote command execution, with the malicious code executing automatically and remaining highly concealed.
Security firm SlowMist advises users to immediately revoke all tokens, reset passwords, log out and log back in to invalidate sessions, block the domain *.apifox.it.com, clear local storage, and review API logs and any abnormal activities.#Apifox #DesktopClient #SupplyChainAttack #MaliciousCode #JavaScript #CredentialTheft #SensitiveDataExposure #RemoteCommandExecution #SecurityBreach #SlowMist #CyberSecurity #APILogs #TokenRevoke #PasswordReset #APIReview
π Supply Chain Attack Targets Popular npm Package Axios
#SupplyChainAttack #npm #Axios #Malware #CyberSecurity #ForesightNews #SocketAI
A significant supply chain attack has targeted the npm package axios, according to Foresight News. The latest version, axios@1.14.1, has been compromised with a malicious package, plain-crypto-js@4.2.1, which was previously nonexistent. This package has been confirmed as malware by Socket AI's analysis. Axios, which has a weekly download rate exceeding 100 million, poses a potential risk to all projects that have updated to the latest version.
Feross, the founder of Socket AI, advises all axios users to immediately lock their current version and review their lock files, avoiding any upgrades to the latest version.#SupplyChainAttack #npm #Axios #Malware #CyberSecurity #ForesightNews #SocketAI
π AI TRENDS | Security Alert Issued for OpenClaw Users Over Potential Axios Threat
#AI #CyberSecurity #OpenClaw #Axios #SupplyChainAttack #SecurityAlert #TechNews #MalwareThreat
On March 31, a security alert was issued by SlowMist founder Yu Jian, warning users about potential risks associated with the latest version 3.28 of OpenClaw. According to BlockBeats, there is a possibility that this version may introduce a compromised version of axios, a widely used library. Users are advised to conduct thorough checks to ensure their systems are not affected.
Earlier today, 1M AI News reported that axios has been subjected to a supply chain attack, with two new versions introducing malicious dependencies. It is recommended that users immediately roll back to previous versions to mitigate any potential threats.#AI #CyberSecurity #OpenClaw #Axios #SupplyChainAttack #SecurityAlert #TechNews #MalwareThreat
π Axios Library Compromised by Malicious Attack
#Axios #JavaScript #npm #CyberSecurity #Malware #RAT #SupplyChainAttack #macOS #Windows #Linux #SoftwareSecurity #OIDC #SLSA #Huntress #ChainCatcher #npmToken
An attacker has compromised the npm access token of the lead maintainer of Axios, a popular JavaScript HTTP client library, and used it to release two malicious versions containing cross-platform remote access trojans (RATs). According to ChainCatcher, these versions, axios@1.14.1 and axios@0.3.4, targeted macOS, Windows, and Linux systems. The malicious packages were removed from the npm registry approximately three hours after their release.
Data from security company Wiz indicates that Axios is downloaded over 100 million times weekly and is present in about 80% of cloud and code environments. Security firm Huntress detected the first infections just 89 seconds after the malicious packages went live and confirmed that at least 135 systems were compromised during the exposure period. Notably, the Axios project had implemented modern security measures such as the OIDC trusted publishing mechanism and SLSA provenance proofs. However, the attacker bypassed these defenses entirely.
The investigation revealed that while configuring OIDC, the project retained the traditional long-lived NPM_TOKEN. When both tokens coexist, npm defaults to using the traditional token, allowing the attacker to publish without breaching OIDC.#Axios #JavaScript #npm #CyberSecurity #Malware #RAT #SupplyChainAttack #macOS #Windows #Linux #SoftwareSecurity #OIDC #SLSA #Huntress #ChainCatcher #npmToken
π Mercor Faces Major Security Breach Affecting AI Companies
#Mercor #securitybreach #AIcompanies #OpenAI #Anthropic #Meta #supplychainattack #LiteLLM #TeamPCP #Lapsus #databreach #confidentialdata #forensicinvestigation
A significant security breach has impacted Mercor, a startup providing training data to AI companies such as OpenAI, Anthropic, and Meta. According to ChainCatcher, the incident resulted from a supply chain attack on the open-source library LiteLLM, widely used by developers to connect AI services, with millions of daily downloads.
The attack was initiated by the hacker group TeamPCP, which inserted malicious code into LiteLLM to steal credentials. Subsequently, another hacker group, Lapsus$, claimed to have obtained up to 4TB of Mercor's data, including source code, database records, internal Slack communications, and platform conversation videos. Unverified reports suggest that some customer datasets and confidential AI project information may have been compromised.
Mercor has responded swiftly to contain the situation and has launched a third-party forensic investigation to address the breach.#Mercor #securitybreach #AIcompanies #OpenAI #Anthropic #Meta #supplychainattack #LiteLLM #TeamPCP #Lapsus #databreach #confidentialdata #forensicinvestigation