News Heat Trend
Project Overview
Agentwood Studios is an AI agents designed to revolutionize the filmmaking industry. Derived from the creative minds of filmmakers, producers, actors, and actresses, these AI agents collaborate in a dynamic, user-driven environment to generate scripts, trailers, short films, and even full-length feature films.
Anthropic Model Safety Controversy Escalates, Amazon Accused of Being the "Hidden Force" Triggering Regulatory Intervention
the U.S. government's export controls and access restrictions on Anthropic's models, Fable 5 / Mythos 5, were partly driven by Amazon's cybersecurity research and AWS CEO Andy Jassy's communications with the White House.It is understood that research submitted by Amazon indicated that through a series of prompt tests, researchers could induce Fable 5 to output sensitive information potentially usable for cyberattacks, raising security concerns. Subsequently, Andy Jassy reported these findings to the U.S. government level, prompting the White House to implement further restrictions, including banning foreign users from accessing the model.Meanwhile, former U.S. Commerce Department official Kate Koren revealed that the White House's existing policy stance towards Anthropic may have also influenced this decision. This is because Anthropic has disagreements with the White House over the boundaries of AI safety, including refusing to use its models for mass surveillance or lethal autonomous weapons systems. Although the two sides had eased tensions and expanded cooperation earlier this year, this incident could reignite strained relations between them. (The Wall Street Journal)
SlowMist Discloses Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers
According to on-chain analyst PeckShield (@PeckShieldAlert), SlowMist’s threat intelligence system MistEye has detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major registries—npm, PyPI, and Crates.io—comprising over 34 malicious packages and more than 384 related versions. The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to the theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including `.cursorrules`, `CLAUDE.md`, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.
Wasabi Protocol Updates on Security Incident Response: Final User Compensation Plan Not Yet Confirmed
Wasabi Protocol released a security incident update, stating that the attacker exploited a Spring Boot Actuator configuration vulnerability in its AWS infrastructure to steal private keys controlling EVM smart contracts, and subsequently drained approximately $4.8 million in user funds and $900,000 from the protocol’s treasury—totaling roughly $5.7 million in losses. The attack chain originated from a public-facing analysis server whose Actuator heap dump was not properly password-protected, enabling the attacker to obtain credentials for another server and ultimately gain control of the smart contract private keys. This incident affected only EVM deployments—including certain treasuries on Ethereum, Base, Blast, and Berachain—while Solana deployments and the Prop AMM remained unaffected. No final user compensation plan has been announced yet; however, “ensuring all affected users are compensated” remains the team’s top priority. Updates on the investigation will be shared with the community via Discord.
PrimePiper Launches Prime Broker Dedicated to AI Agents, Enabling Multi-Exchange Connectivity, Cross-Venue Reconciliation, and Risk Control & Audit Capabilities
PrimePiper has launched an enterprise-grade prime broker platform for AI agents, designed to address challenges including fragmented account management, inadequate risk control, inability to reconcile across venues, and insufficient compliance auditing in AI-driven automated trading. According to the company, its infrastructure supports unified connectivity to multiple trading venues—including Hyperliquid, OKX, Tiger Brokers, and Interactive Brokers (IBKR). For risk control, PrimePiper offers enterprise-grade API key management, spending limits, and circuit-breaker mechanisms to constrain AI agent trading behavior. At the execution layer, it enables automated strategy execution via SDK or the Model Context Protocol (MCP). For compliance and auditing, it provides audit-grade reporting capabilities tailored for funds and traders. PrimePiper has been selected for the latest cohort of Founders Inc’s accelerator program; its product is currently in the Alpha stage. Team members hail from Galois Capital, Kraken, DRW, and AWS.
Vercel CEO: Attackers Stole API Keys via Malware, Impact Broader Than Initially Assessed
Vercel CEO Guillermo Rauch (@rauchg) announced that Vercel is conducting an in-depth investigation into the April 2026 security incident. The investigation revealed that the attackers initially breached Vercel’s systems via Context.ai’s account—a startup—but their activities extended far beyond this initial intrusion. Threat intelligence indicates that the attackers distributed malware to steal Vercel account credentials and API keys from other service providers, then used those keys to rapidly and extensively enumerate non-sensitive environment variables. To trace the root cause, Vercel has processed nearly 1 petabyte of network and API logs. Vercel is collaborating with industry partners—including Microsoft, AWS, and Wiz—to respond jointly and has proactively notified other potentially affected parties, urging them to rotate credentials and adopt security best practices.
Coinbase Review of May Outage: AWS Cascading Failures Exposed Architectural Risks
Coinbase has released a post-mortem report on the large-scale service outage that occurred on May 7, 2026. The disruption lasted approximately 8 hours, with full recovery taking about 12 hours. During this period, trading, deposits, withdrawals, and most core services were either unavailable or severely degraded.Coinbase stated that the outage was triggered by the simultaneous failure of multiple chillers in the cooling system of a data center within an Availability Zone (use1-az4) of the AWS us-east-1 region. This led to thermal shutdown protection for server racks, causing EC2 instances and EBS volumes to go offline, and impacting multiple internet services.During the recovery process, Coinbase's trading matching engine lost quorum after its cluster architecture, deployed within a single AWS data center, lost the majority of its nodes. Emergency code adjustments and the formation of new node groups were required to restore operations, with market trading being gradually restarted throughout the recovery.Additionally, the AWS Managed Streaming for Kafka (MSK) service experienced a control plane failure, preventing automatic re-election of partition leaders. This further blocked order books, fee calculations, and parts of the settlement and data streaming systems, expanding the overall impact. After Coinbase and the AWS engineering teams collaborated on manual partition migrations, the system gradually returned to normal.Coinbase indicated that this incident exposed deficiencies in its cross-Availability Zone automatic failover capabilities and the disaster recovery of managed middleware. The company will upgrade its cross-region hot standby architecture, strengthen regular disaster recovery drills, migrate its Kafka systems from a dual-AZ to a triple-AZ deployment, and work jointly with AWS to address root causes and implement improvements.
SlowMist Discloses Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers
According to on-chain analyst PeckShield (@PeckShieldAlert), SlowMist’s threat intelligence system MistEye has detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major registries—npm, PyPI, and Crates.io—comprising over 34 malicious packages and more than 384 related versions. The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to the theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including `.cursorrules`, `CLAUDE.md`, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.
AWS partners with Coinbase and Stripe to launch AI agent stablecoin payment functionality, enabling microtransactions using USDC
According to The Block, Amazon Web Services (AWS) has partnered with Coinbase and Stripe to launch Amazon Bedrock AgentCore Payments, enabling AI agents to conduct transactions using stablecoins. Coinbase stated that developers can build “agent-based payment” solutions using the x402 protocol, allowing AI agents to make micro-payments in USDC. This feature enables AI agents to instantly pay for web content, APIs, MCP servers, and other agents. AWS noted that developers can choose between Coinbase and Stripe wallets and fund those wallets using either stablecoins or fiat currency.
PrimePiper Launches Prime Broker Dedicated to AI Agents, Enabling Multi-Exchange Connectivity, Cross-Venue Reconciliation, and Risk Control & Audit Capabilities
PrimePiper has launched an enterprise-grade prime broker platform for AI agents, designed to address challenges including fragmented account management, inadequate risk control, inability to reconcile across venues, and insufficient compliance auditing in AI-driven automated trading. According to the company, its infrastructure supports unified connectivity to multiple trading venues—including Hyperliquid, OKX, Tiger Brokers, and Interactive Brokers (IBKR). For risk control, PrimePiper offers enterprise-grade API key management, spending limits, and circuit-breaker mechanisms to constrain AI agent trading behavior. At the execution layer, it enables automated strategy execution via SDK or the Model Context Protocol (MCP). For compliance and auditing, it provides audit-grade reporting capabilities tailored for funds and traders. PrimePiper has been selected for the latest cohort of Founders Inc’s accelerator program; its product is currently in the Alpha stage. Team members hail from Galois Capital, Kraken, DRW, and AWS.
Anthropic Model Safety Controversy Escalates, Amazon Accused of Being the "Hidden Force" Triggering Regulatory Intervention
the U.S. government's export controls and access restrictions on Anthropic's models, Fable 5 / Mythos 5, were partly driven by Amazon's cybersecurity research and AWS CEO Andy Jassy's communications with the White House.It is understood that research submitted by Amazon indicated that through a series of prompt tests, researchers could induce Fable 5 to output sensitive information potentially usable for cyberattacks, raising security concerns. Subsequently, Andy Jassy reported these findings to the U.S. government level, prompting the White House to implement further restrictions, including banning foreign users from accessing the model.Meanwhile, former U.S. Commerce Department official Kate Koren revealed that the White House's existing policy stance towards Anthropic may have also influenced this decision. This is because Anthropic has disagreements with the White House over the boundaries of AI safety, including refusing to use its models for mass surveillance or lethal autonomous weapons systems. Although the two sides had eased tensions and expanded cooperation earlier this year, this incident could reignite strained relations between them. (The Wall Street Journal)
SlowMist Discloses Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers
According to on-chain analyst PeckShield (@PeckShieldAlert), SlowMist’s threat intelligence system MistEye has detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major registries—npm, PyPI, and Crates.io—comprising over 34 malicious packages and more than 384 related versions. The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to the theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including `.cursorrules`, `CLAUDE.md`, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.
TrapDoor Cryptocurrency Theft Campaign Spans npm, PyPI, and Crates.io, Involving Over 34 Malicious Packages
According to research by security firm Socket Security, a cryptocurrency-stealing supply chain attack dubbed “TrapDoor” spans npm, PyPI, and Crates.io, involving over 34 malicious packages and 384 related versions and artifacts. The attack targets cryptocurrency, DeFi, Solana, Sui, Move, and AI developers. Attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload `trap-core.js` via the `postinstall` hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via `build.rs`. Socket has flagged all related packages as malicious and reported them to the respective package registries.
Wasabi Protocol Updates on Security Incident Response: Final User Compensation Plan Not Yet Confirmed
Wasabi Protocol released a security incident update, stating that the attacker exploited a Spring Boot Actuator configuration vulnerability in its AWS infrastructure to steal private keys controlling EVM smart contracts, and subsequently drained approximately $4.8 million in user funds and $900,000 from the protocol’s treasury—totaling roughly $5.7 million in losses. The attack chain originated from a public-facing analysis server whose Actuator heap dump was not properly password-protected, enabling the attacker to obtain credentials for another server and ultimately gain control of the smart contract private keys. This incident affected only EVM deployments—including certain treasuries on Ethereum, Base, Blast, and Berachain—while Solana deployments and the Prop AMM remained unaffected. No final user compensation plan has been announced yet; however, “ensuring all affected users are compensated” remains the team’s top priority. Updates on the investigation will be shared with the community via Discord.
Vercel CEO: Attackers Stole API Keys via Malware, Impact Broader Than Initially Assessed
Vercel CEO Guillermo Rauch (@rauchg) announced that Vercel is conducting an in-depth investigation into the April 2026 security incident. The investigation revealed that the attackers initially breached Vercel’s systems via Context.ai’s account—a startup—but their activities extended far beyond this initial intrusion. Threat intelligence indicates that the attackers distributed malware to steal Vercel account credentials and API keys from other service providers, then used those keys to rapidly and extensively enumerate non-sensitive environment variables. To trace the root cause, Vercel has processed nearly 1 petabyte of network and API logs. Vercel is collaborating with industry partners—including Microsoft, AWS, and Wiz—to respond jointly and has proactively notified other potentially affected parties, urging them to rotate credentials and adopt security best practices.
CoW Swap Releases Post-Mortem Report on Attack: cow.fi Domain Hijacking Resulted from Supply Chain Attack on Registration Pipeline; Preliminary Estimate of User Losses Is Approximately $1.2 Million
According to an official incident post-mortem report on the CoW Swap attack, its domain cow.fi was compromised via a supply-chain attack on April 14, 2026. Attackers exploited social engineering tactics to infiltrate the .fi domain registration process and hijack DNS resolution, causing users attempting to access swap.cow.fi to be redirected to a phishing site for several hours. During this period, attackers deployed a counterfeit trading interface and attempted to trick users into connecting their wallets and signing malicious transactions. The report states that this incident did not impact CoW Protocol’s on-chain smart contracts, backend systems, or user fund security; core infrastructure—including services hosted on AWS and Vercel—remained uncompromised. The attack occurred exclusively during the domain registration and transfer process: attackers gained control by forging identity documents and exploiting vulnerabilities in the registration workflow, briefly modifying the domain’s DNS records. The team detected the anomaly within 19 minutes and initiated emergency response procedures, subsequently migrating to cow.finance and fully restoring the cow.fi domain within approximately 26 hours. CoW’s team noted that affected users were primarily those who visited the official website during the domain hijacking window. Preliminary estimates place losses at around $1.2 million. The cow.fi domain has since been reactivated with enhanced security measures—including RegistryLock—and the team has launched external security audits, legal proceedings against the perpetrators, and is developing a potential user compensation plan. The official statement emphasizes that the vulnerability has been patched and outlines plans to improve domain infrastructure security through governance initiatives and industry collaboration.
Grayscale Research Head: Hyperliquid HIP-3 Cumulative Trading Volume Reaches $200 Billion, HYPE Captures Transaction Value Flow
Grayscale Research Head Zach Pandl stated that perpetual contracts, as a core product of the crypto market, have long been limited to crypto assets such as BTC and ETH. However, Hyperliquid is changing this landscape through its HIP-3 upgrade. HIP-3 allows for the permissionless deployment of perpetual contract markets on the Hyperliquid infrastructure, and a S&P 500 perpetual contract product has already been launched on Hyperliquid.Data shows that the HIP-3 market reached a peak open interest of approximately $3.2 billion in June 2026, with a cumulative trading volume of about $200 billion. These markets are not directly operated by Hyperliquid but adopt a "permissionless infrastructure" model: any qualified developer can create derivatives trading markets on its underlying network. This makes Hyperliquid more akin to an open financial infrastructure similar to AWS, with the HYPE token capturing the overall transaction value flow.
Anthropic Model Safety Controversy Escalates, Amazon Accused of Being the "Hidden Force" Triggering Regulatory Intervention
the U.S. government's export controls and access restrictions on Anthropic's models, Fable 5 / Mythos 5, were partly driven by Amazon's cybersecurity research and AWS CEO Andy Jassy's communications with the White House.It is understood that research submitted by Amazon indicated that through a series of prompt tests, researchers could induce Fable 5 to output sensitive information potentially usable for cyberattacks, raising security concerns. Subsequently, Andy Jassy reported these findings to the U.S. government level, prompting the White House to implement further restrictions, including banning foreign users from accessing the model.Meanwhile, former U.S. Commerce Department official Kate Koren revealed that the White House's existing policy stance towards Anthropic may have also influenced this decision. This is because Anthropic has disagreements with the White House over the boundaries of AI safety, including refusing to use its models for mass surveillance or lethal autonomous weapons systems. Although the two sides had eased tensions and expanded cooperation earlier this year, this incident could reignite strained relations between them. (The Wall Street Journal)
Coinbase Review of May Outage: AWS Cascading Failures Exposed Architectural Risks
Coinbase has released a post-mortem report on the large-scale service outage that occurred on May 7, 2026. The disruption lasted approximately 8 hours, with full recovery taking about 12 hours. During this period, trading, deposits, withdrawals, and most core services were either unavailable or severely degraded.Coinbase stated that the outage was triggered by the simultaneous failure of multiple chillers in the cooling system of a data center within an Availability Zone (use1-az4) of the AWS us-east-1 region. This led to thermal shutdown protection for server racks, causing EC2 instances and EBS volumes to go offline, and impacting multiple internet services.During the recovery process, Coinbase's trading matching engine lost quorum after its cluster architecture, deployed within a single AWS data center, lost the majority of its nodes. Emergency code adjustments and the formation of new node groups were required to restore operations, with market trading being gradually restarted throughout the recovery.Additionally, the AWS Managed Streaming for Kafka (MSK) service experienced a control plane failure, preventing automatic re-election of partition leaders. This further blocked order books, fee calculations, and parts of the settlement and data streaming systems, expanding the overall impact. After Coinbase and the AWS engineering teams collaborated on manual partition migrations, the system gradually returned to normal.Coinbase indicated that this incident exposed deficiencies in its cross-Availability Zone automatic failover capabilities and the disaster recovery of managed middleware. The company will upgrade its cross-region hot standby architecture, strengthen regular disaster recovery drills, migrate its Kafka systems from a dual-AZ to a triple-AZ deployment, and work jointly with AWS to address root causes and implement improvements.
SlowMist Discloses Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers
According to on-chain analyst PeckShield (@PeckShieldAlert), SlowMist’s threat intelligence system MistEye has detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major registries—npm, PyPI, and Crates.io—comprising over 34 malicious packages and more than 384 related versions. The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to the theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including `.cursorrules`, `CLAUDE.md`, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.
TrapDoor Cryptocurrency Theft Campaign Spans npm, PyPI, and Crates.io, Involving Over 34 Malicious Packages
According to research by security firm Socket Security, a cryptocurrency-stealing supply chain attack dubbed “TrapDoor” spans npm, PyPI, and Crates.io, involving over 34 malicious packages and 384 related versions and artifacts. The attack targets cryptocurrency, DeFi, Solana, Sui, Move, and AI developers. Attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload `trap-core.js` via the `postinstall` hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via `build.rs`. Socket has flagged all related packages as malicious and reported them to the respective package registries.
The BNBAgent SDK has been launched on the BSC mainnet, providing core infrastructure for scaling AI agents on-chain.
The BNBAgent SDK has officially launched on the BSC mainnet, providing core infrastructure for scaling AI agents on-chain. The SDK comprises four modular components: identity and trust based on ERC-8004; commerce and custody based on ERC-8183 (APEX); autonomous payments integrating MPP and x402; and memory and storage built on BNB Greenfield. This framework addresses key challenges faced by AI agents—including identity verification, commercial collaboration, automated settlement, and cross-execution-environment memory continuity—enabling developers to build, deploy, and monetize AI agents on BNB Chain. Initial partners include Google, AWS, Virtuals, Binance Pay, Trust Wallet, Binance Wallet, and United Stables.
Related news
“White-Haired Stock God” Serenity: Three Major Tech Themes Progressing, Photonics and Memory May Be the Next Main Phase
“White-Haired Stock God” Serenity stated on the X platform that his three earlier proposed major investment themes: New Cloud Computing (Neoclouds), Photonics Technology (Photonics), and Memory are gradually being realized in the market and validated by individual stock performance. Judging from the trends of assets such as AAOI, EWY, and NBIS, the related industrial chain is entering a phase of accelerated differentiation, with some targets reaching all-time highs.Serenity also mentioned that IREN has shown relatively stagnant performance due to the pressure from an approximately $6 billion ATM equity offering, while Nebius continues to strengthen, forming a clear pattern of divergence. The core of the market lies in identifying main themes in advance and concentrating allocations in the right tracks, but even with the correct software direction chosen, returns may fall short of expectations due to differences in structural market conditions.In terms of outlook, Serenity believes that photonics technology is still in its early stages but has significant long-term potential; Nebius has the potential to develop into a “cloud computing version of AWS”; while Micron (MU), SK Hynix, and Samsung Electronics may possess industry-level revaluation potential similar to Nvidia, driven by structural memory demand.
Grayscale Research Head: Hyperliquid HIP-3 Cumulative Trading Volume Reaches $200 Billion, HYPE Captures Transaction Value Flow
Grayscale Research Head Zach Pandl stated that perpetual contracts, as a core product of the crypto market, have long been limited to crypto assets such as BTC and ETH. However, Hyperliquid is changing this landscape through its HIP-3 upgrade. HIP-3 allows for the permissionless deployment of perpetual contract markets on the Hyperliquid infrastructure, and a S&P 500 perpetual contract product has already been launched on Hyperliquid.Data shows that the HIP-3 market reached a peak open interest of approximately $3.2 billion in June 2026, with a cumulative trading volume of about $200 billion. These markets are not directly operated by Hyperliquid but adopt a "permissionless infrastructure" model: any qualified developer can create derivatives trading markets on its underlying network. This makes Hyperliquid more akin to an open financial infrastructure similar to AWS, with the HYPE token capturing the overall transaction value flow.
Anthropic Model Safety Controversy Escalates, Amazon Accused of Being the "Hidden Force" Triggering Regulatory Intervention
the U.S. government's export controls and access restrictions on Anthropic's models, Fable 5 / Mythos 5, were partly driven by Amazon's cybersecurity research and AWS CEO Andy Jassy's communications with the White House.It is understood that research submitted by Amazon indicated that through a series of prompt tests, researchers could induce Fable 5 to output sensitive information potentially usable for cyberattacks, raising security concerns. Subsequently, Andy Jassy reported these findings to the U.S. government level, prompting the White House to implement further restrictions, including banning foreign users from accessing the model.Meanwhile, former U.S. Commerce Department official Kate Koren revealed that the White House's existing policy stance towards Anthropic may have also influenced this decision. This is because Anthropic has disagreements with the White House over the boundaries of AI safety, including refusing to use its models for mass surveillance or lethal autonomous weapons systems. Although the two sides had eased tensions and expanded cooperation earlier this year, this incident could reignite strained relations between them. (The Wall Street Journal)
Coinbase Review of May Outage: AWS Cascading Failures Exposed Architectural Risks
Coinbase has released a post-mortem report on the large-scale service outage that occurred on May 7, 2026. The disruption lasted approximately 8 hours, with full recovery taking about 12 hours. During this period, trading, deposits, withdrawals, and most core services were either unavailable or severely degraded.Coinbase stated that the outage was triggered by the simultaneous failure of multiple chillers in the cooling system of a data center within an Availability Zone (use1-az4) of the AWS us-east-1 region. This led to thermal shutdown protection for server racks, causing EC2 instances and EBS volumes to go offline, and impacting multiple internet services.During the recovery process, Coinbase's trading matching engine lost quorum after its cluster architecture, deployed within a single AWS data center, lost the majority of its nodes. Emergency code adjustments and the formation of new node groups were required to restore operations, with market trading being gradually restarted throughout the recovery.Additionally, the AWS Managed Streaming for Kafka (MSK) service experienced a control plane failure, preventing automatic re-election of partition leaders. This further blocked order books, fee calculations, and parts of the settlement and data streaming systems, expanding the overall impact. After Coinbase and the AWS engineering teams collaborated on manual partition migrations, the system gradually returned to normal.Coinbase indicated that this incident exposed deficiencies in its cross-Availability Zone automatic failover capabilities and the disaster recovery of managed middleware. The company will upgrade its cross-region hot standby architecture, strengthen regular disaster recovery drills, migrate its Kafka systems from a dual-AZ to a triple-AZ deployment, and work jointly with AWS to address root causes and implement improvements.
SlowMist Discloses Cross-Registry Supply Chain Attack Targeting Crypto and AI Developers
According to on-chain analyst PeckShield (@PeckShieldAlert), SlowMist’s threat intelligence system MistEye has detected a cross-registry supply chain attack targeting developers. Malicious packages have spread across three major registries—npm, PyPI, and Crates.io—comprising over 34 malicious packages and more than 384 related versions. The attack targets developer communities in cryptocurrency, DeFi, Solana, Sui/Move, and AI. It may lead to the theft of cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, and other sensitive developer information. Some malicious payloads also attempt persistence via mechanisms including `.cursorrules`, `CLAUDE.md`, Git hooks, cron, systemd, and SSH. SlowMist recommends immediately removing affected packages, isolating compromised systems, rotating exposed credentials, rebuilding CI environments and developer machines from clean images, and conducting comprehensive reviews of GitHub, cloud, SSH, and wallet-related activities.
TrapDoor Cryptocurrency Theft Campaign Spans npm, PyPI, and Crates.io, Involving Over 34 Malicious Packages
According to research by security firm Socket Security, a cryptocurrency-stealing supply chain attack dubbed “TrapDoor” spans npm, PyPI, and Crates.io, involving over 34 malicious packages and 384 related versions and artifacts. The attack targets cryptocurrency, DeFi, Solana, Sui, Move, and AI developers. Attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload `trap-core.js` via the `postinstall` hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via `build.rs`. Socket has flagged all related packages as malicious and reported them to the respective package registries.