slow

According to Slow Fog monitoring, the DTXT/USDT trading pair on the BNB Chain was attacked, resulting in a loss of approximately 35,041 USDT.The root cause of the attack lies in the DTXT contract, which determines the type of operation by comparing the USDT balance with the trading pair's reserve amount. The attacker directly transferred a small amount of USDT to the trading pair address, causing a large DTXT sell-off to be misjudged as adding liquidity, thus bypassing the sell transaction fee logic.The attacker borrowed 1,077,400 USDT through a flash loan from Moolah, making a profit of approximately 35,000 USDT.

According to SlowMist monitoring, a new type of Rust supply chain malware activity named IronWorm is attacking developer environments and the Web3 ecosystem through malicious npm packages. Potential attack behaviors include credential theft, wallet mnemonic and password theft, GitHub repository tampering, malicious package publishing, CI/CD secret leakage, Tor-based command control, and eBPF rootkit stealth.Security teams should audit the repository for backtracked commits, suspicious branches, unexpected build hooks, and commits from automated identities such as claude, dependabot, renovate, or github-actions. It is recommended to remove or deprecate affected package versions, publish clean versions, rotate all leaked keys and tokens, review GitHub Actions artifacts, and rebuild potentially compromised development or CI systems from clean images.

SlowMist has issued a security alert, detecting an active npm supply chain attack targeting @redhat-cloud-services related packages. Currently, over 31 packages have been confirmed affected, with a weekly download volume of approximately 116,000 times, and stolen credentials exist in more than 300 GitHub repositories. This attack method is highly similar to the previous "Shai-Hulud" npm attack, including credential theft, creation of malicious repositories, and automated secret leakage. New suspicious repositories continue to emerge, indicating that the attack is still ongoing, and developers are still being continuously infected.Potential harms include: theft of GitHub/npm tokens, leakage of AWS/GCP/Azure cloud credentials, collection of SSH keys and Kubernetes secrets, leakage of local environment and wallet data, creation of malicious repositories and persistence operations, and even potentially destructive actions after tokens are revoked. It is recommended to immediately remove or downgrade affected @redhat-cloud-services package versions, conduct a comprehensive audit of CI/CD workflows and dependency installations, rotate all GitHub, npm, cloud service, SSH, and wallet-related keys, retain logs, and rebuild exposed developer machines or Runners from clean images while maintaining a high level of vigilance.

The founder of Slow Fog, Yu Xian, posted on the X platform to interpret the Squid security incident. He stated that sampling found that the related Safe wallets were all single-signature, and the owners were all different, but the issue was not with the private keys; the problem lay in the modules (SquidRouterModule) used by these Safe addresses, which had vulnerabilities. Attackers could forge messages, easily bypass relevant validations, and initiate subsequent exchange operations to transfer funds from the target Safe wallet. In addition, Yu Xian also disclosed information about the address where the attackers' profits were deposited.Previously, it was reported that a third-party Gnosis Safe module was exploited on Base and Ethereum, resulting in a loss of approximately $3.2 million, with the victims being 86 Gnosis Safes that had added this contract as a trusted Safe Module. The contract was named "SquidRouterModule" on Basescan, and subsequently, Squid clarified that it was not affected by the Gnosis Safe-related vulnerability incident.

Slow Fog's Yu Xian posted on the X platform stating that the reason for the Verus theft may be that the attacker constructed a forged Merkle proof, which passed the verification of the Verus Ethereum bridge (not open source), thus successfully withdrawing funds (ETH/tBTC/USDC). Specific details need to be further verified.

The slow fog余弦 social media stated that the high-risk iOS attack framework DarkSword has been publicly leaked on channels such as GitHub and is being used for large-scale espionage attacks targeting cryptocurrency wallet holders.This attack program targets devices running iOS versions 18.4 to 18.7, utilizing vulnerabilities in the Safari browser through malicious web pages to achieve remote code execution, thereby stealing users' sensitive data. Attackers launch attacks using bait web pages that impersonate pornographic live streams, Tron energy stations, refund processes, and more.iPhone users running older versions of iOS, once they access such web pages using the Safari browser (even if they do not close the page), may have sensitive information such as plaintext private keys and mnemonic phrases stolen by malicious JavaScript code when unlocking the wallet app, which is then transmitted in real-time through channels like Telegram bots.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed on platform X that node-ipc has been compromised again. The released three malicious versions of node-ipc (9.1.6, 9.2.3, 12.1) carry the same credential-stealing payload, with the package being downloaded over 10 million times per week.

Delphi Digital published a report stating that the variable rate Series A perpetual preferred stock STRC of Strategy has an authorized issuance limit of approximately $28.3 billion. If this value is reached without expanding the limit, the accumulation rate of Bitcoin by Strategy may slow down.On Monday, Strategy purchased 535 Bitcoins for $43 million, with most of the funds raised through the sale of Class A common stock MSTR. Currently, Strategy's market net asset value is 1.25 times. Researchers pointed out that when mNAV is low, Strategy uses STRC as the main accumulation tool, and if mNAV expands, it may acquire Bitcoin through the sale of MSTR. Strategy has a cash reserve of $2.25 billion, and the next significant cash obligation will mature in September 2027.

Slow Fog issued a security warning stating that Aurellion was attacked, resulting in a loss of approximately 455,003 USDC (about $455,000).Analysis pointed out that the root of the vulnerability lies in the lack of effective protection in the initialize(address) function of the SafeOwnable Facet. Since the Diamond contract did not go through the initialize path when setting the owner, the _initialized version slot was not updated correctly, allowing the attacker to reinitialize the contract and override owner permissions.Subsequently, the attacker called diamondCut to inject a malicious Facet and transferred the USDC assets of authorized users through the malicious pullERC20 function, ultimately completing the theft of funds.

According to the blockchain security organization SlowMist (@SlowMist_Team), a highly complex npm worm named "Mini Shai-Hulud" is spreading through well-known developer projects such as TanStack, UiPath, and DraftLab, as monitored by their threat monitoring system MistEye. Attackers hijack GitHub credentials to publish malicious packages disguised as legitimate updates, embedding a hidden script router_init.js that runs silently in CI/CD environments like GitHub Actions, specifically designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, using GitHub's own infrastructure for data exfiltration.SlowMist has synchronized relevant threat intelligence (IOC) with clients and recommends that projects using the affected packages immediately check their CI/CD pipelines for the presence of the router_init.js file, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor for abnormal background activities in the development environment.

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.

In February this year, several Chinese citizens were raided by the police at a rented villa in Country Heights, Kajang, Malaysia. The police claimed to suspect that the Chinese citizens were involved in fraud, and subsequently, the Chinese citizens were forced to transfer about $50,000 (approximately 200,000 ringgit) in USDT. The police later arrested 12 officers involved in the case and removed them from frontline duties, but the investigation still awaits technical reports and digital evidence results, and there has been no breakthrough to date.Lawyer Charles, representing eight Chinese victims, stated that the investigation is progressing too slowly. Since the arrest of the 12 involved police officers, there has been no further information, raising suspicions of internal interference attempting to suppress the case. He warned that if there is internal protection, he will file a complaint with the Malaysian Anti-Corruption Commission.

BTC IV 39%, ETH IV 55%; ETH Skew is at a critical turning point------the mid to long term stabilizes at +2 to +5, while the short term has repeatedly dropped to -10 but quickly returned to zero. If ETH stabilizes above $2,400, the short term turning positive will resonate with the mid to long term, confirming a shift from event hedging to upward chasing. The BTC/ETH GEX Term Structure shows that the near-month Gamma has clearly turned positive, with ETF inflows and Call accumulation driving a positive Gamma slow bull structure------under a Long Gamma environment for market makers, the short term is inclined towards high-level fluctuations and slow increases, with IV retreating. Bull Call Spread and selling Put strategies are dominant, but the far month retains negative Gamma reflecting ongoing tail hedging demand. In terms of block trades, 1,001.8 BTC 5/8 expiration $88K Calls were traded, and 14,288 ETH 5/15 expiration $2,600 Calls were traded, indicating clear bullish signals from institutions.Gate has launched the "Rising Star Trader Support Program" for options, with a total prize pool of $25,000 USDT. During the event, users can earn multiple rewards through options trading, inviting friends, and participating in KOL incubation camps: the highest reward for meeting trading volume standards can reach $3,000, and the highest commission for inviting can reach $2,000. Meanwhile, the platform also provides high-quality traders with 1-on-1 options hedging training, exclusive rate discounts, and traffic support, helping traders enhance their strategy capabilities and market influence, and providing a more competitive trading environment and growth opportunities for professional options users.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed that a privilege escalation vulnerability named Dirty Frag has been exposed in Linux systems, with complete details and exploit code now public. This vulnerability allows any local low-privilege user to directly obtain root privileges on almost all mainstream Linux distributions. It is classified as a deterministic logic flaw, and the attack does not rely on complex race conditions, resulting in a very high success rate without causing kernel crashes, posing significant danger. Linux users are advised to upgrade their systems promptly.

The latest report released by Bank of America (BofA) indicates that in April, the user growth of Gemini and Claude was robust, while the growth rate of ChatGPT continued to slow down. The report stated: In terms of U.S. web traffic, Google saw a year-on-year increase of 2% to 546 million visits, ChatGPT grew by 30% year-on-year to 34 million visits (equivalent to 6% of Google), Bing decreased by 6% year-on-year to 44 million visits, and Claude increased by 715% year-on-year to 7.1 million visits. In terms of month-on-month growth, Google grew by 1%, ChatGPT grew by 1%, Claude grew by 28%, and Gemini grew by 8%.

The Chief Information Security Officer (CISO) of Slow Mist @23pds posted on the X platform revealing that X platform user Ilhamrfliansyh induced the AI model Grok to generate and publish abnormal content through a prompt injection attack, triggering erroneous on-chain fund operations.It is alleged that the original content was suspected to be a segment of Morse code, with the core meaning being "transfer all DRB to Ilhamrfliansyh." Although the related account has been deactivated and the complete information cannot be fully confirmed, Grok directly published the "decoded result" as a reply after parsing, inadvertently @ing bankrbot, causing the content to be recognized by the system as an on-chain execution instruction.Subsequently, Bankr, as Grok's associated wallet, executed the request, transferring approximately $175,000 worth of DRB to the attacker's address. The attacker then quickly exchanged the DRB for USDC through multiple wallets.This incident temporarily triggered a nearly 40% drop in the price of DRB, but the market quickly recovered, and the price has largely regained its losses. Industry insiders pointed out that this event exposed the potential risks of the "AI + automated on-chain execution" system under prompt injection attacks, especially in scenarios where AI results can directly trigger fund operations.

The report shows that as of the end of March, the value of gold in the USDT reserves is $19.8 billion, which is approximately 132 metric tons based on market prices at that time, an increase from 126 tons at the end of December last year, but gold only accounts for 10% of the reserves.The USDT reserves are mainly composed of $117 billion in U.S. Treasury bonds, with Bitcoin accounting for $7 billion. The current circulation of USDT is $189.5 billion.

According to Jinshi reports, Federal Reserve Chairman Powell stated that people are still spending, and there has not yet been a noticeable slowdown due to rising gasoline prices.