慢雾 SlowMist

Background
On May 14, 2026, the MistEye threat intelligence monitoring system discovered three abnormal release versions of the Node.js IPC package node-ipc on npm: 9.1.6, 9.2.3, and 12.0.1. The weekly download volume for node-ipc is around 530,066, and it is directly depended upon by over 400 open-source projects, making it widely used in the Node.js ecosystem.
The event chain shows that all three versions of node-ipc.cjs have added around 80KB of obfuscated code at the end, capable of credential collection and DNS exfiltration. Deobfuscation comparisons confirm that the entry code byte-level is consistent across 9.1.6, 9.2.3, and 12.0.1.

Background
Recently, the MistEye security monitoring system captured a malicious version of the Mistral AI official Python SDK (mistralai-2.4.6) while conducting ongoing threat hunting in the PyPI ecosystem. A deep dive revealed that this sample isn't a counterfeit package created by an attacker—users installing from PyPI are indeed getting the version under Mistral's official name, but the source code has been backdoored. Coupled with the trusted release patterns of the poisoned package, associations with known bad actors like Shai-Hulud, and publicly available traceability info, it's highly suspected that the attackers infiltrated the project’s release pipeline to inject malicious code into the official version.

Background
In May 2026, the ShapeShift FOX Colony project faced a hack when the EtherRouterCreate3 contract deployed on Arbitrum was compromised. The attacker exploited the 'arbitrary self-calling' capability within the contract's meta-transaction mechanism, along with DSAuth's automatic authorization logic on address(this), to bypass the auth modifier and replace the core routing component resolver with a malicious version. This allowed them to leverage delegatecall to drain all ERC20 assets held by the contract. The essence of this attack boils down to a complete privilege bypass caused by the semantic conflict between meta-transaction meta-language and the internal self-calling authorization pattern.

Shai-Hulud is a significant cybersecurity threat targeting open-source software supply chains, functioning as a self-propagating npm malware worm that infects the open-source ecosystem. It's considered one of the largest supply chain attacks on npm in recent years, involving hundreds of malicious packages, and the SlowMist MistEye threat intelligence system has issued multiple warnings.
Yesterday, a threat group called TeamPCP made a shocking move in the security community: they published the complete source code of their credential-stealing malware Shai-Hulud on GitHub.

Background
Recently, the MistEye security monitoring system captured a high-risk phishing attack targeting TRON wallet users. This sample masquerades as a Chrome MV3 (Manifest V3) extension related to the TRON wallet ecosystem, creating a complete credential theft chain through brand impersonation combined with a remotely variable UI.
The attack method is divided into two layers: the first layer is a counterfeit TronLink Chrome extension that uses Unicode direction control characters and Cyrillic lookalikes to disguise the brand name. After user installation, it prioritizes loading a remote iframe as a popup interface; the second layer is a remote phishing page that fully mimics the UI and functionality of the TronLink Wallet web wallet, collecting mnemonic phrases, private keys, keystore files, and passwords without the user's awareness, and leaks this data through a same-origin API and Telegram Bot. Static extension package reviews struggle to cover the subsequent interface behaviors of remote iframes; hence, this analysis report is released for community defense and self-inspection.

The SlowMist security team has officially launched the MistEye Security Gate (a security front gate skill), providing pre-detection before execution for dependency installation and domain access for mainstream AI coding agents like Claude Code, Cursor, and OpenAI GPT. This covers three core risk scenarios: supply chain poisoning, malicious external links, and third-party Skill/MCP installations.
MistEye Security Gate open-source address: github.com/slowmist/misteye-skills
1. Background: The skill ecosystem of AI agents and supply chain risks
With the rapid rise of AI coding tools like Claude Code, Cursor, and Codex, "Skill" and "MCP (Model Context Protocol)" have become essential ways for developers to expand their capabilities in daily work. By declaring .claude/settings.json in projects or installing third-party Skill repositories, AI agents can gain extended abilities like browser control, file editing, and database querying.

Background
RWA (Real World Asset) is becoming the core direction for deep integration between Web3 and traditional finance. The mapping of real-world assets like bonds, equities, real estate, equipment, and income rights onto the blockchain is reshaping the boundaries of the digital asset ecosystem.
Unlike traditional DeFi, the security perimeter of RWA protocols extends from 'code security' to 'rights confirmation, compliance governance, and off-chain execution.' A change in permissions could lead to asset freezes; a forced transfer could impact real-world debt ownership. The relationship between code and law means that the security audit of RWA is no longer just a technical issue but a complex proposition that encompasses technology, compliance, and business logic.

Background
Recently, there was an incident on the Base chain involving privilege abuse with the combination of AI Agents and automated trading systems. The attacker sent specifically crafted content to @grok on platform X, tricking it into outputting transfer instructions recognized by an external trading agent (@bankrbot), ultimately resulting in the transfer of real assets on-chain.
https://x.com/bankrbot/status/2051192437797015859
About the 'Grok Wallet':
The address marked as 'Grok Wallet' (0xb1058c959987e3513600eb5b4fd82aeee2a0e4f9) is not under the official control of xAI. This address was automatically generated by @bankrbot as an associated wallet for X account @grok, with the private key hosted by a third-party wallet service relied upon by Bankr, meaning actual control lies with Bankr. BaseScan has corrected the address label from 'Grok' to Bankr 1 and other relevant identifiers.

RWA (Real World Asset) is becoming a crucial direction for the deep integration of Web3 and traditional finance. Unlike traditional DeFi, RWA protocols not only facilitate the flow of on-chain assets but also directly map real-world assets like bonds, equities, real estate, equipment, and income rights. Their security perimeter extends from 'code security' to 'rights confirmation, compliance governance, and off-chain execution.'
From an audit perspective, the core challenge for RWA is no longer just preventing funds from being stolen, but ensuring that the code logic, business rules, and real-world legal rights are aligned: a single change in permissions could lead to asset freezing; a forced transfer might impact the ownership of debts in the real world.

On April 21st, Hacking Time, hosted by SlowMist, was successfully held at Choi's Building in Hong Kong. The event followed the buzz of the Hong Kong Web3 Carnival, themed 'Security for AI & Crypto, AI for Security', drawing security researchers, developers, industry experts, and Web3 practitioners from around the globe. The venue was packed, and the atmosphere was lively, with attendees continuously engaging in discussions, showcasing the industry's keen interest in the intersection of AI and Web3 security issues.
Hacking Time Recap
The event officially kicked off under the hosting of 23pds, a partner & CISO from SlowMist. He first welcomed the attendees and briefly introduced the theme and agenda of Hacking Time, setting the stage for a 'tech-driven + practical-oriented' vibe throughout the event.

This article is reprinted from Techub's interview: https://techub.info/html_pages/5ccd5646-052a-4530-b6ed-4229bb9b9330.html
Interviewee: Techub News
Interviewee: Slow Mist Security Team
1. Opening Remarks
Techub News Interview Question 1: Please define the Kelp DAO rsETH × LayerZero incident in one sentence. Is it a single point accident, or is it a landmark event in the systemic risks of DeFi in 2026?
This is one of the most severe DeFi security incidents to date in 2026, and it is also a concentrated outbreak of systemic risk. It is not just a theft of a particular contract, but rather a simultaneous breach of the cascading risks of the three-layer architecture of LRT (Liquidity Re-staked Tokens), cross-chain bridges, and lending protocols — the single point of DVN configuration failure ultimately allowed the losses to spread from Kelp to Aave, and then to multiple protocols holding rsETH.

On April 7, 2026, the Federal Bureau of Investigation (FBI) released the (2025 Internet Crime Report). The report coincides with the 25th anniversary of the establishment of the FBI's Internet Crime Complaint Center (IC3) and provides an in-depth analysis based on over 1 million complaints collected in 2025, highlighting the historic loss scale that exceeded $20.8 billion, victim profiles, investment fraud, and other core crime types, while focusing on the evolving trends of artificial intelligence (AI) in online scams and law enforcement's breakthroughs in asset recovery.
This article will interpret the core content of the report, helping readers quickly grasp the dynamic changes in global cybersecurity threats in 2025 and enhance their awareness and prevention capabilities against complex online scams and AI-driven threats.

Hacking Time is a classic technology exchange event founded by SlowMist in 2019, always driven by technology at its core, bringing together top security researchers, developers, and industry experts from around the world to engage in in-depth discussions on core Web3 security topics such as on-chain attacks, smart contract security, on-chain analysis, and compliance governance. After years of accumulation and iteration, this event has evolved from a single technical sharing platform to an important communication node connecting security research and regulatory perspectives, becoming a highly representative benchmark event in the field of Web3 security.
In April 2026, following the footsteps of the Hong Kong Web3 Carnival, Hacking Time returns to explore the new security boundaries emerging from the collision of AI and Web3.

As the 2026 Hong Kong Web3 Carnival approaches, the global blockchain industry once again focuses on this international metropolis. As a leading global blockchain security company, SlowMist will participate in and host a series of events from April 20 to 23, and will share our security research results in multiple forums and roundtables, looking forward to in-depth exchanges with global Web3 practitioners to jointly promote industry security construction.
2026 Hong Kong Web3 Carnival
April 20 - 23, 2026, the Hong Kong Web3 Carnival, co-hosted by Wanxiang Blockchain Lab and HashKey Group, and organized by W3ME, will be held at the Hong Kong Convention and Exhibition Centre.

Over the past few years, the core issues facing Virtual Asset Service Providers (VASPs) in the field of anti-money laundering (AML) have quietly changed.
Initially, the industry focused more on "whether AML capabilities have been deployed"; now, a more practical question has arisen—whether these capabilities have truly met regulatory standards.
过去的一年里, this change has become more pronounced. Multiple penalty cases send the same signal: under a results-oriented enforcement framework, "investment has been made but the results are insufficient" and "no measures have been taken" are not strictly distinguished at the accountability level.

On March 27, the first Agentic AI Innovation and Security Forum and the first Web 4.0 International Summit in Hong Kong, co-hosted by Hong Kong Cyberport, ME Group, and iPollo, were grandly held at Hong Kong Cyberport. This summit, themed "Agentic AI Innovative Applications: Technological Transformation and Industrial Integration in the Web 4.0 Era", gathered top talents from various sectors, including the Financial Secretary of the Hong Kong SAR Government, Paul Chan, the Chairman of Hong Kong Cyberport, Charles Chan, the Directors of Hong Kong Cyberport and the founder of Nano Labs, Kong Jianping, as well as renowned angel investor Cai Wensheng, to explore the opportunities and challenges of AI's leap from 'dialogue' to 'action' in this new era.

Background
In the world of Web3, security has never been a 'task' that can be checked off; rather, it is a marathon without an end. However, for a long time, the industry's understanding of 'security' has remained stuck in the old paradigm of one-time audits—exchanging code checks at a certain point in time for 'certainty' before going live.
Yet, as threats such as cross-protocol combination attacks, flash loan arbitrage, private key leaks, and front-end hijacking continue to evolve, this 'snapshot security' is rapidly becoming ineffective. Especially after AI Agents have evolved from 'assistive tools' to 'automated executors', the attack surface has further expanded to new dimensions such as prompt injection and malicious Skills / MCPs supply chain poisoning, making security risks exhibit stronger dynamics and interconnectivity. In this context, the security capabilities themselves must also undergo an upgrade.

On March 24, 2026, AI developers were still writing code when LiteLLM on PyPI was quietly "poisoned." The Python open-source library LiteLLM, which had a monthly download volume of up to 97 million times, had its PyPI repository maliciously altered in the early morning, with two contaminated versions (1.82.7, 1.82.8) quietly going online. In just three hours, tens of thousands of development environments and enterprise systems may have been exposed to data leakage risks. Unlike ordinary attacks, this incident was not an isolated malicious injection but a carefully planned chain attack by the hacker organization TeamPCP.
https://x.com/LiteLLM/status/2036503343510778061

1. Background
The Slow Fog security team has detected a supply chain attack. The front-end script file hosted on the Apifox official CDN (hxxps[:]//cdn.apifox.com/www/assets/js/apifox-app-event-tracking.min.js) has been injected with heavily obfuscated malicious JavaScript code. This malicious code disguises itself as legitimate statistical tracking functionality and, when running in the Apifox Electron desktop client environment, will steal user authentication credentials and sensitive system information, sending it to a C2 server controlled by the attacker, which can then pull and execute arbitrary remote code, achieving full remote command execution (RCE).

As AI Agents evolve from "assistive tools" to "autonomous executors", an increasing number of Agents are beginning to possess the ability to install plugins (Skills / MCP), call external APIs, read documents, and even directly participate in on-chain interactions. However, at the same time, a more realistic issue has emerged: when Agents can execute anything, how do they determine what is safe?
In the real world, many attacks are no longer limited to traditional vulnerabilities, but rather involve methods such as malicious code libraries, prompt injection, disguised documents, supply chain contamination, and social engineering to carry out "cognitive layer hijacking" on AI Agents. Against this backdrop, SlowMist officially launched: SlowMist Agent Security Skill 0.1.1 (https://github.com/slowmist/slowmist-agent-security), a comprehensive security review framework aimed at AI Agents.