Three Major Crypto Attacks in 24 Hours: Fake Apps, $14.2M SOL Theft, and npm Supply Chain Breach

iconAMBCrypto
Share
AI summary iconSummary
On-chain news reports three major crypto security breaches in 24 hours. First, SecondFi warned of phishing scams via fake apps and browser extensions. Second, a Solana whale lost 180,900 SOL ($14.2M) in a theft. Third, the jscrambler npm package faced a supply chain attack with malicious code. Developers should update to version 8.22.0 for a fix.

Crypto scams are becoming increasingly prevalent, drawing widespread attention. In fact, more than three breaches occurred in the past 24 hours, with a few notable cases highlighted below.

SecondFi falls victim to a scam

Fraudsters impersonated SecondFi by developing phony browser extensions and applications that were intended to steal cryptocurrency or access users’ wallets.

To address the confusion, SecondFi clarified,

AD

There is no new application or link, it is the same.

The team asserted that it will never ask users to download software, click links, sign transactions, or transfer assets through direct messages or emails.

Therefore, to prevent phishing scams and money theft, the team advised users to only install the official Chrome extension that has the blue verified checkmark and to access SecondFi via its official website.

SecondFi official page
Source: SecondFi/X

How did a theft result in a loss of 180,900 SOL?

In the second case, blockchain investigator ZachXBT claims that an early Solana [SOL] whale wallet was compromised. This resulted in the purported theft of 180,900 SOL, worth $14.2 million.

According to on-chain data, the wallet initially displayed unusual unstaking activity, indicating that the attacker took over the staked assets before transferring them to newly made Solana addresses to combine and exchange the money.

Later, the stolen assets were bridged from Solana to Ethereum [ETH] to obscure transaction trails and access greater liquidity. Moreover, the investigation asserted that some money had already been transferred using Tornado Cash, making them far harder to trace.

A sophisticated supply chain attack

Finally, jscrambler npm package became the target of a software supply chain attack after an attacker allegedly stole the login credentials needed to release new versions. For context, an information-stealing (infostealer) payload was included in malicious releases 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.

compromised jscrambler@8.14.0 release
Source: Socket/X

These releases were made to run malicious code on Linux, macOS, or Windows systems. Initially, a preinstall script that executes automatically during npm install was used to distribute the malware.

But in versions 8.18.0 and 8.20.0, the attacker incorporated the malicious code straight into the package, evading security measures such as npm install –ignore-scripts, which typically stops preinstall scripts from executing.

According to jscrambler, the attack was made possible by compromised npm publishing credentials, which allowed for unapproved releases. Following that, developers were urged to update immediately to version 8.22.0, which contains the fix.


Final Summary

  • Different hacking techniques like phishing scams, wallet compromises, and software supply chains are raising alarms.
  • By avoiding unsolicited links, updating compromised software, and confirming official sources, users, and developers can stay safe.
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.