Security Alert: 30 malicious npm packages disguised as trading bot repositories, targeting the theft of developer keys and mnemonic phrases
SlowMist issued a security alert, detecting a coordinated malicious npm supply chain attack. The attackers utilized fake trading bot repositories and DeFi-themed npm packages to deploy JavaScript information stealers, targeting npm users, DeFi developers, and trading bot users.This attack involved 30 malicious npm packages, among which stake-math@3.5.4 appeared as a locked dependency in the donoaccestag/forex-mt5-trading-bot repository. This repository presented approximately 2300 highly homogeneous bulk-generated forks, mostly concentrated under the poly-stocks account, with signals being exceptionally clear. The sensitive data that attackers could steal is extensive, including cryptocurrency wallet libraries, browser cookies and saved passwords, browsing history, developer credentials, shell history, password manager libraries, private keys, mnemonic phrases, and API tokens exposed in source code.SlowMist recommends that developers immediately remove the affected npm packages, audit package.json and package-lock.json, and check CI logs for any of the 30 malicious packages; consider any system that has executed npm install as potentially compromised, rotate all exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild the affected environment from a clean image.