Supply-chain attack hits npm, PyPI and crates.io, targeting crypto and AI developers

Huo Xing Cai Jing, citing blockchain security firm SlowMist, said MistEye has identified a supply-chain campaign that pushed malicious packages to major open-source registries including npm, PyPI and crates.io. The packages were aimed at developers working in cryptocurrency and DeFi, as well as ecosystems such as Solana and Sui/Move, and broader AI-related projects. SlowMist said the activity involved more than 34 malicious packages spanning over 384 related versions. The attackers are suspected of harvesting sensitive developer data, including crypto wallet information, SSH keys, cloud credentials, GitHub/AWS tokens, browser data and environment variables. Some payloads also attempted to establish persistence through mechanisms such as .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron jobs, systemd and SSH. SlowMist advised developers to remove any impacted packages immediately, isolate potentially compromised systems, preserve logs, rotate exposed credentials, rebuild CI environments and developer machines from clean images, and review activity logs for GitHub, cloud services, SSH access and wallet operations.