cio

According to SlowMist monitoring, a new type of Rust supply chain malware activity named IronWorm is attacking developer environments and the Web3 ecosystem through malicious npm packages. Potential attack behaviors include credential theft, wallet mnemonic and password theft, GitHub repository tampering, malicious package publishing, CI/CD secret leakage, Tor-based command control, and eBPF rootkit stealth.Security teams should audit the repository for backtracked commits, suspicious branches, unexpected build hooks, and commits from automated identities such as claude, dependabot, renovate, or github-actions. It is recommended to remove or deprecate affected package versions, publish clean versions, rotate all leaked keys and tokens, review GitHub Actions artifacts, and rebuild potentially compromised development or CI systems from clean images.

Bitwise Chief Investment Officer Matt Hougan posted on the X platform, stating that institutions are like large oil tankers, which have now adjusted their course to support cryptocurrencies, tokenization, and stablecoins.He believes that this trend will not slow down, regardless of price performance.

According to GoPlus warning, a user lost approximately $316,000 worth of USDC to a phishing attack due to signing a malicious Permit2 transaction.

According to Slow Fog's disclosure, the security agency MistEye detected a cross-registry supply chain attack incident, where attackers targeted developers in the fields of cryptocurrency, DeFi, Solana, Sui/Move, and AI by publishing malicious packages on npm, PyPI, and crates.io. This attack activity includes more than 34 malicious packages and over 384 related versions. The attackers may steal cryptocurrency wallets, SSH keys, cloud credentials, GitHub/AWS tokens, browser data, environment variables, and developers' confidential information.Some of the malicious payloads also attempted to achieve persistence through .cursorrules, CLAUDE.md, Git hooks, shell hooks, cron, systemd, and SSH. Developers are advised to immediately remove the affected packages, isolate the affected systems, retain logs, rotate exposed credentials, rebuild CI environments and developer machines from clean images, and review GitHub, cloud services, SSH, and wallet activity logs.

Security company Socket Security disclosed that a cryptocurrency theft operation named TrapDoor is launching active supply chain attacks in package repositories such as npm, PyPI, and Crates.io. A total of 34 malicious packages and 384 versions and components have been identified, with attackers continuously pushing new versions across various ecosystems.TrapDoor primarily targets developers in the cryptocurrency, DeFi, AI, and security fields, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, environment variables, and API keys. Socket detected that the median detection time for malicious versions was 5 minutes and 27 seconds, with the fastest detection occurring 58 seconds after release.

According to monitoring by Specter Analyst, a high-net-worth investor holding significant assets on the Kraken and Coinbase trading platforms was subjected to a suspected personal coercion attack, resulting in a total loss of approximately $6.7 million in various assets. The attacker withdrew 1,554 ETH (approximately $3.3 million) from the user's Kraken account and 10.5 BTC.At the same time, the attacker also breached the defenses of their Coinbase account, withdrawing 34.1 cbBTC. Subsequently, the attacker directly deposited over $5.3 million of the stolen funds into the privacy protocol Tornado Cash to obscure the transaction path.

According to Cointelegraph, Casa co-founder Jameson Lopp warned that a new phishing technique has emerged, where attackers abuse legitimate Google recovery forms to hide malicious links within lengthy messages filled with a lot of blank space.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed on platform X that node-ipc has been compromised again. The released three malicious versions of node-ipc (9.1.6, 9.2.3, 12.1) carry the same credential-stealing payload, with the package being downloaded over 10 million times per week.

According to Protos, Myanmar has proposed introducing the death penalty for criminals who use violent means to coerce victims into participating in cryptocurrency scam centers. According to the draft of the country's Anti-Cyber Fraud Bill, criminals who use violence, torture, illegal arrest and detention, or cruel treatment against others to force them to commit cyber fraud will be sentenced to death.The bill will be submitted to parliament for review in June. In addition, operators of scam centers or perpetrators of cryptocurrency scams will face life imprisonment. Last month, the President of Myanmar reduced all death sentences to life imprisonment.

According to The Block, Bitwise Chief Investment Officer Matt Hougan pointed out that Circle's Arc, Canton Network, and Stripe's Tempo have recently completed over one billion dollars in financing collectively, with all three financings occurring after the signing of the GENIUS Act in July 2025. Hougan believes that this act has broken the regulatory deadlock that previously suppressed institutional capital entry.Hougan summarized three major signals: first, all three chains have made native privacy transactions a core design to meet institutions' needs for transaction confidentiality; second, the implementation of the GENIUS Act has significantly reduced regulatory uncertainty, with the next key variable being the ongoing Clarity Act, which is expected to benefit stablecoins and tokenized infrastructure; third, the backing of top institutions such as Goldman Sachs, Citadel, BlackRock, Stripe, and Visa behind these three chains stands in stark contrast to the grassroots paths of Ethereum and Solana.Hougan stated that his funds are still primarily betting on native crypto projects and believes that emerging enterprise chains will raise overall competitive standards and attract more capital inflow.

According to Decrypt, Microsoft's threat intelligence department disclosed that attackers implanted malicious code into the Mistral AI package distributed through the PyPI platform. This malicious code automatically runs when developers use it on Linux systems, downloading a malicious file named transformers.pyz and executing it in the background, with the filename deliberately mimicking the widely used Hugging Face Transformers library to confuse users.Microsoft pointed out that this malware primarily steals developer login credentials and access tokens, and it avoids Russian systems. Some of the code can randomly delete device files located in Israel or Iran. This attack is related to the "Shai-Hulud" supply chain attack campaign that started in September. Mistral responded that investigations show the attack originated from compromised developer devices, and the company's infrastructure was not breached.

According to Slow Fog CISO @im23pds's post on the X platform: attackers used 13 accounts to implant 575 malicious Skills into Hugging Face and ClawHub.

According to the official announcement, to further enhance market liquidity and user trading experience, Bitget has launched exclusive fee rate discounts for contract market makers, covering stock, precious metals, commodities, and index contract currency pairs. The Taker fee rate for the above currency pairs has been uniformly adjusted to 0.0065%, and the event will end on June 30. For more details, please refer to the Bitget official platform.

According to market news, Binance has announced the launch of a user-controlled "Withdraw Protection" feature, aimed at preventing offline coercion attacks (commonly known as "wrench attacks") against cryptocurrency holders. This feature allows users to actively lock their account withdrawal permissions for 1 to 7 days and provides a stricter "lock mode," which cannot be lifted early during the set period.Binance stated that this locking mechanism cannot be overridden by platform customer service but is controlled by internal policy, not an on-chain cryptographic lock. Binance's Chief Security Officer, Jimmy Su, indicated that this move stems from the risk trends observed on the platform, including cases where some users in high-risk areas have been forced to transfer funds. By setting a withdrawal delay, it can buy users time to respond and recover in extreme situations.Data shows that incidents of offline coercion against cryptocurrency users are significantly rising in 2025, with related attacks often bypassing traditional account security mechanisms, as the actions are completed by the users themselves under pressure. Industry insiders believe that the time-lock mechanism can change this risk model to some extent. Binance emphasizes that this feature does not affect law enforcement agencies' ability to act in accordance with the law, while also advising users to strengthen API key management and privacy protection to reduce the risk of being targeted.

According to Cointelegraph, the South Korean crypto industry group DAXA (Digital Asset Exchange Alliance), representing 27 registered virtual asset service providers (VASP), has submitted objections to the Financial Services Commission (FSC) and the Financial Intelligence Unit (FIU) regarding the proposed amendments to the implementation order of the Specific Financial Information Act.The new regulations aim to require domestic VASPs to report any virtual asset transfers with foreign VASPs as suspicious transaction reports (STR) if the amount reaches 10 million won (approximately $6,800), regardless of the risk level. DAXA warned that this would cause the annual reporting volume of South Korea's five major trading platforms (Upbit, Bithumb, Coinone, Korbit, Gopax) to surge from about 63,000 last year to over 5.4 million, making compliance practically impossible.The industry also opposes the proposed requirement to verify the accuracy of customer information, arguing that the subordinate rules impose obligations not clearly defined by law. This industry backlash comes as exchanges face sanctions from financial regulators in court. On April 9, the court ruled to lift part of the business suspension against Upbit operator Dunamu, but the regulators have appealed. On April 30, the court suspended the six-month partial business suspension against Bithumb. Coinone also received a temporary stay of execution.The public consultation period for the new regulations ends on May 11, and it is expected to be finalized in July after regulatory and legal reviews. This highlights the tension between South Korea's tightening of crypto anti-money laundering regulations and the industry's concerns about excessive compliance burdens.

Syndicate has released an update regarding the recent security incident, stating that the leakage of private keys led to the malicious upgrade of bridging contracts on two chains, resulting in the theft of approximately 18.5 million SYND (about $330,000) and around $50,000 in customer tokens. Affected users will receive full compensation, and SYND holders will receive additional compensation.The attack involved multi-stage reconnaissance, infrastructure mapping, vulnerability exploitation development, and precise timing, ruling out the possibility of insider involvement. The root cause of the vulnerability was the storage of private keys in a password manager, and the upgrade process did not utilize multi-signature or hardware signing. Syndicate is strengthening security measures, including adding an encryption layer outside the password manager and implementing multi-signature or hardware signing for the upgrade path.

SlowMist CISO 23pds disclosed that the password management tool Bitwarden CLI version 2026.4.0 suffered a Checkmarx supply chain attack between 17:57 and 19:30 Eastern Time. The attacker briefly distributed a malicious package via npm by abusing the GitHub Action in the Bitwarden CI/CD pipeline.The official confirmation states that Vault data was not leaked, and production systems were not affected; only users who installed this version via npm during that time window were impacted. The official recommendation for affected users is to immediately uninstall 2026.4.0, clean the npm cache, rotate sensitive credentials such as API Tokens and SSH Keys, investigate any abnormal activities on GitHub and CI, and upgrade to the fixed version 2026.4.1.

Meta Pool indicates that a suspicious contract has been found attempting to impersonate a legitimate staking pool and tokens. Meta Pool emphasizes that this contract is not associated with Meta Pool or any official NEAR liquidity staking provider.

The dominance of the US dollar has always been a topic of concern, but Franklin Templeton believes that the dollar will remain the preferred currency. The Chief Investment Officer of the company's fixed income department, Sonal Desai, wrote in a report that the dollar's status is supported by three main pillars: the size of the world's largest economy, the depth of the market, and its institutional credibility.Sonal Desai pointed out that there are currently no reliable alternative assets, and it will take decades to establish the institutional infrastructure needed to support such a currency. The debate over the dollar's dominance has intensified, as Trump's erratic trade, geopolitical, and fiscal policies have weakened the appeal of US assets. Some analysts believe that the euro and gold are likely to become preferred reserve assets.

According to Bloomberg, the top derivatives regulator in the United States is investigating a series of "exceptionally timed" crude oil futures trades that occurred before Trump's recent adjustments to Iran war policy. According to informed sources, the investigation has been initiated.The U.S. CFTC is leading the investigation into crude oil futures contract trades conducted on the CME Group and Intercontinental Exchange platforms. Informed sources stated that they requested anonymity due to the information not being public.Currently, both trading platforms have been asked to submit relevant trading data to the regulators to cooperate with the investigation.