On May 25, 2026, SlowMist's MistEye brought a long-brewing attack into the spotlight: the attackers did not break in directly but instead circled back to the rear warehouse, simultaneously deploying malicious packages in the three major package registries: npm, PyPI, and crates.io. Monitoring results showed that at least 34 malicious packages and over 384 related versions or artifacts have been injected into these public dependency chains, disguised as common development components, precisely targeting cryptocurrency, DeFi, Solana, Sui/Move, and AI developers. On the surface, developers continue to install dependencies using familiar commands, but in reality, they are pulling unknown code into their build systems; the long-established "default trust" built on public registries has been breached by this cross-registry poisoning, connecting the on-chain and AI ecosystems into the same dependency chain, directly challenging the security assumptions of the entire crypto development environment.
Poisoning Across Three Registries: How 34 Malicious Packages Sneaked In
This is not just a matter of quietly tossing a suspicious package into a corner. SlowMist's MistEye revealed that the attackers chose to strike simultaneously on the three mainstream package registry platforms: npm, PyPI, and crates.io, breaking down the same set of malicious logic into different languages and ecosystems as “components,” spreading them across multiple registries. Previously, supply chain attacks were often concentrated on a single registry; this time, simultaneous poisoning across three platforms is relatively rare. If developers mix these repositories in multi-language and multi-framework projects, it means they are connecting the same contaminated dependency chain from front-end scripts all the way to back-end services.
To avoid being detected immediately, these malicious packages deliberately disguised themselves in nomenclature and descriptions as normal development or security tools: some claimed to provide SDKs or debugging components for cryptocurrency and DeFi, others touted support libraries for Solana and Sui/Move, and some claimed to be development assistance and security detection tools for AI scenarios. The attackers were betting on the habitual "default trust" in public registries, allowing developers to unknowingly pull these packages into their build processes. MistEye currently confirms that at least 34 malicious packages and over 384 versions or build artifacts have been deployed. This version iteration and bulk distribution approach indicate that the attack is not a one-time probe but a planned, sustainable supply chain infiltration operation.
From DeFi to Solana: The Target Developer Battlefield
In the attack lineage disclosed by MistEye, the targets were not single projects but an entire chain of developers: back-end engineers responsible for cryptocurrency and DeFi projects, developers working on contracts and tools for public chains like Solana and Sui/Move, as well as AI developers who also depend on the open-source ecosystem, have all been encompassed within the same round of attacks. For these individuals, npm, PyPI, and crates.io are not “optional resource libraries” but rather the foundation for daily construction of wallet plugins, node maintenance scripts, contract interaction SDKs, and even backend services for models. If malicious dependencies are brought into the production environment from here, it is equivalent to embedding an uncontrollable external code segment in the critical business link.
In the on-chain world, the impact of such embedding rarely stops at the level of "development machine being compromised.” If the wallet signing component is replaced, every transaction initiated by users might be altered locally; once node services and monitoring scripts have backdoors implanted, the statuses seen by the operations team can no longer be trusted; if the contract backend and AI service gateway are hijacked by malicious dependencies, sensitive operations such as interface authentication, private key calls, and task queues may be bypassed, copied, or replayed. What the attackers are targeting are these dependencies that superficially appear to be merely "development tools." Once successfully established, they can quietly approach the security boundaries where real assets and data are located along the engineering pipeline of Web3 projects.
Single Point Defense Failure: Cross-Registry Poisoning Amplifies Risks
When malicious dependencies are no longer restricted to a single repository, the original idea of “guarding one door” immediately becomes ineffective. Previous supply chain attacks faced by the open-source community often focused on a single registry—such as only casting a net on PyPI or only on npm—allowing security teams to strengthen detection rules for that platform, clean up malicious packages, and assist developers with whitelist and mirror source management. This time, however, attackers have simultaneously deployed at least 34 malicious packages and hundreds of version artifacts on npm, PyPI, and crates.io, meaning that whether it's the JavaScript components used in the back-end of on-chain projects or Python dependencies in AI engineering scripts, even the underlying Rust libraries could be intercepted by the same attacker at different stages.
According to disclosures from SlowMist and subsequent feedback from the security community, several institutions have begun to collaboratively analyze this cross-registry attack, but their detection scopes, disposal lists, and reinforcement plans have not been fully disclosed, and the protections that developers can directly perceive remain limited. The more practical issue is that crypto, DeFi, Solana, Sui/Move, and AI project teams habitually default to trusting these public registries during daily development, writing version numbers into configuration files and letting CI/CD automatically pull dependencies. Once the attack surface spreads across platforms, relying solely on the review of a single registry or a specific security scanning tool makes it difficult to cover all entry points along the entire engineering pipeline. The old model of default trust in public registries is rapidly being hollowed out by such cross-registry poisoning incidents.
What Should Teams Do: Security Remediation in Development Processes
For crypto and AI project teams, this incident has made it very clear: public registries are merely download sources, not security boundaries. SlowMist has statistically recorded at least 34 malicious packages and over 384 associated versions deployed to npm, PyPI, and crates.io, with multiple iterations that can be mixed in, showing that the intuition of “upgrading dependencies = automatic security” is fundamentally flawed. Teams need to pull dependency management back into their own engineering systems: core repositories must enable whitelisting and version locking, clearly defining which packages and versions are allowed into production builds; any newly added or upgraded dependencies must go through code audits or security reviews, instead of developers casually adding a line of version numbers in configuration files that directly enter CI/CD.
This is especially true for on-chain projects. Contract deployment scripts, node maintenance tools, and key build links should be managed in separate layers from ordinary business code: a more conservative update pace and stricter auditing and rollback plans should be established. Crypto and DeFi teams have long been accustomed to using automated pipelines to pull dependencies across multiple environments. Once contaminated by malicious packages, it becomes a full-link spread of “development machine → testnet → mainnet”; AI teams also heavily rely on open-source packages, stacking model training, inference services, and data processing scripts on top of third-party libraries. If dependency auditing is not incorporated into routine processes, it amounts to handing over the project’s core infrastructure to uncontrollable external version numbers.
Long-Term Offensive and Defensive in Supply Chains: Where Will the Next Alarm Sound?
The cross-registry supply chain attack revealed by SlowMist's MistEye on May 25, 2026, has illuminated the “default trust” link that both crypto and AI developers share: the attackers can simultaneously lay down at least 34 malicious packages and over 384 related versions on npm, PyPI, and crates.io, indicating that the supply chain is no longer a one-off incident but a long-term battlefield that can be repeatedly probed. What is even more troublesome is that existing public information has not disclosed the attackers' identities, the specific affected projects, or the number of users involved. Although several security organizations have intervened, the cleanup and defense upgrades are still in progress, meaning that what is seen today is only part of the attack surface. The three lines of clues worth closely monitoring in the long term are: first, whether registry platforms like npm, PyPI, and crates.io will make substantial enhancements to their review mechanisms, package signatures, and rollback processes; second, whether security vendors like SlowMist can solidify the detection experience from this cross-ecosystem poisoning into sharper monitoring capabilities; third, whether crypto and DeFi teams and AI teams can promote the implementation of security norms like dependency auditing and least trust at an industry level; the next alarm is likely to sound on the dependency links that we think are “most familiar and secure,” and whether it can be heard in advance will depend on whether these observation dimensions can quickly transition from lessons learned to normalcy.
Join our community, let’s discuss and grow stronger together!
On-Chain Telegram community: https://t.me/AiCoinWhaleData
On-Chain Community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin On-Chain Twitter: https://x.com/aicoinwhaledata
AiCoin Exclusive Hyperliquid Benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin Exclusive Aster Benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
