News linked to both this project and an event.
According to research by security firm Socket Security, a cryptocurrency-stealing supply chain attack dubbed “TrapDoor” spans npm, PyPI, and Crates.io, involving over 34 malicious packages and 384 related versions and artifacts. The attack targets cryptocurrency, DeFi, Solana, Sui, Move, and AI developers. Attack samples can steal sensitive information including SSH keys, wallet data, AWS credentials, GitHub tokens, browser data, and environment variables. Specifically, npm packages execute the shared payload `trap-core.js` via the `postinstall` hook; PyPI packages execute remote JavaScript upon import; and Crates.io packages steal local keystores via `build.rs`. Socket has flagged all related packages as malicious and reported them to the respective package registries.
According to SlowMist, its security monitoring system MistEye has detected a counterfeit TronLink Chrome MV3 extension targeting TRON wallet users with a two-layer phishing attack. The extension disguises itself as the official plugin using Unicode obfuscation and brand spoofing. Upon installation, it first loads a remote iframe-based pop-up page designed to trick users into entering their mnemonic phrases, private keys, keystore files, and passwords—then exfiltrates this sensitive data via same-origin APIs to a Telegram bot. The malicious infrastructure involved includes the domains tronfind-api[.]tronfindexplorer[.]com and trx-scan-explorer[.]org; the malicious extension ID is ekjidonhjmneoompmjbjofpjmhklpjdd. SlowMist advises users to immediately uninstall the extension. If sensitive information has already been submitted, users should promptly migrate their assets and discontinue use of the compromised wallet.
Bybit’s Security Operations Center has identified a multi-stage malware campaign targeting macOS users of Claude Code, an AI-powered search and development tool. Attackers used search engine optimization (SEO) poisoning to push malicious domains to the top of Google search results, luring users to counterfeit installation pages. Once installed, the malware steals browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access via backdoor functionality and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and related analysis, mitigation, and detection measures were completed the same day.