TechFlow news: On May 25, on-chain analyst PeckShield (@PeckShieldAlert) reported that MistEye—the threat intelligence system operated by SlowMist—detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major package registries: npm, PyPI, and Crates.io, involving over 34 malicious packages and more than 384 related versions.
The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including .cursorrules, CLAUDE.md, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.




