fog

The slow fog余弦 social media stated that the high-risk iOS attack framework DarkSword has been publicly leaked on channels such as GitHub and is being used for large-scale espionage attacks targeting cryptocurrency wallet holders.This attack program targets devices running iOS versions 18.4 to 18.7, utilizing vulnerabilities in the Safari browser through malicious web pages to achieve remote code execution, thereby stealing users' sensitive data. Attackers launch attacks using bait web pages that impersonate pornographic live streams, Tron energy stations, refund processes, and more.iPhone users running older versions of iOS, once they access such web pages using the Safari browser (even if they do not close the page), may have sensitive information such as plaintext private keys and mnemonic phrases stolen by malicious JavaScript code when unlocking the wallet app, which is then transmitted in real-time through channels like Telegram bots.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed on platform X that node-ipc has been compromised again. The released three malicious versions of node-ipc (9.1.6, 9.2.3, 12.1) carry the same credential-stealing payload, with the package being downloaded over 10 million times per week.

The U.S. Court of Appeals is hearing the appeal case of Roman Sterlingov, focusing on the key discussion of whether cryptocurrency services are subject to U.S. law. The case centers on: whether a small number of transactions conducted by law enforcement in Washington is sufficient to establish jurisdiction; and the reliability of evidence identifying the defendant through "IP overlap analysis" by the FBI. The U.S. Department of Justice argues that Bitcoin Fog, as a global money transfer service aimed at U.S. users, should be bound by U.S. law; while the defense questions the law enforcement's "artificial creation of jurisdiction."

Slow Fog issued a security warning stating that Aurellion was attacked, resulting in a loss of approximately 455,003 USDC (about $455,000).Analysis pointed out that the root of the vulnerability lies in the lack of effective protection in the initialize(address) function of the SafeOwnable Facet. Since the Diamond contract did not go through the initialize path when setting the owner, the _initialized version slot was not updated correctly, allowing the attacker to reinitialize the contract and override owner permissions.Subsequently, the attacker called diamondCut to inject a malicious Facet and transferred the USDC assets of authorized users through the malicious pullERC20 function, ultimately completing the theft of funds.

According to the blockchain security organization SlowMist (@SlowMist_Team), a highly complex npm worm named "Mini Shai-Hulud" is spreading through well-known developer projects such as TanStack, UiPath, and DraftLab, as monitored by their threat monitoring system MistEye. Attackers hijack GitHub credentials to publish malicious packages disguised as legitimate updates, embedding a hidden script router_init.js that runs silently in CI/CD environments like GitHub Actions, specifically designed to steal CI/CD keys, cloud infrastructure keys, and cryptocurrency wallet information, using GitHub's own infrastructure for data exfiltration.SlowMist has synchronized relevant threat intelligence (IOC) with clients and recommends that projects using the affected packages immediately check their CI/CD pipelines for the presence of the router_init.js file, rotate all exposed GitHub, cloud service, and cryptocurrency credentials, and continuously monitor for abnormal background activities in the development environment.

SlowMist has issued a security warning stating that a high-risk phishing activity targeting TRON wallet users has been discovered. Attackers created a fake Chrome extension for the TronLink wallet, using Unicode bidirectional control characters and Cyrillic homographs to disguise the brand name. After installation, the extension loads a complete phishing page through a remote iframe, forming a "shell-core separation" credential theft chain.The malicious extension name uses homographs for disguise, and its Chrome Store page inherits the high user count and positive reviews of the real extension, lowering the review threshold. There is very little local code, only loading remote pages, making static analysis nearly impossible to detect malicious behavior. The remote phishing page perfectly replicates the official TronLink web wallet interface, stealing mnemonic phrases, private keys, Keystore files, and passwords, and relaying them in real-time via a Telegram Bot.Built-in anti-analysis features disable right-click, developer tools, drag-and-drop, and printing, and redirect based on the geographic and language settings of Russian users to evade detection. SlowMist recommends immediately uninstalling suspicious extensions, clearing local storage, checking for abnormal traffic, and if credentials have been entered, creating a new wallet and transferring assets immediately.

The Chief Information Security Officer of Slow Fog, 23pds, disclosed that a privilege escalation vulnerability named Dirty Frag has been exposed in Linux systems, with complete details and exploit code now public. This vulnerability allows any local low-privilege user to directly obtain root privileges on almost all mainstream Linux distributions. It is classified as a deterministic logic flaw, and the attack does not rely on complex race conditions, resulting in a very high success rate without causing kernel crashes, posing significant danger. Linux users are advised to upgrade their systems promptly.

The Chief Information Security Officer (CISO) of Slow Mist @23pds posted on the X platform revealing that X platform user Ilhamrfliansyh induced the AI model Grok to generate and publish abnormal content through a prompt injection attack, triggering erroneous on-chain fund operations.It is alleged that the original content was suspected to be a segment of Morse code, with the core meaning being "transfer all DRB to Ilhamrfliansyh." Although the related account has been deactivated and the complete information cannot be fully confirmed, Grok directly published the "decoded result" as a reply after parsing, inadvertently @ing bankrbot, causing the content to be recognized by the system as an on-chain execution instruction.Subsequently, Bankr, as Grok's associated wallet, executed the request, transferring approximately $175,000 worth of DRB to the attacker's address. The attacker then quickly exchanged the DRB for USDC through multiple wallets.This incident temporarily triggered a nearly 40% drop in the price of DRB, but the market quickly recovered, and the price has largely regained its losses. Industry insiders pointed out that this event exposed the potential risks of the "AI + automated on-chain execution" system under prompt injection attacks, especially in scenarios where AI results can directly trigger fund operations.

The Chief Information Security Officer of Slow Fog, 23pds, tweeted that HexagonalRodent, a subsidiary of the Lazarus Group, is targeting Web3 developers through social engineering tactics such as "high-paying remote positions" and "recruitment for well-known projects" to induce the execution of malicious code, ultimately stealing users' cryptocurrency assets.On March 9, 2026, a user with the same name as a fast-draft extension developer was infected with the OtterCookie malware, which was used to distribute malicious programs. Attackers extensively used ChatGPT and Cursor to assist in executing the attacks, further enhancing the disguise and deception.

The Chief Information Security Officer of Slow Fog Technology, 23pds, forwarded a message from the dark web intelligence account Dark Web Intelligence (@DailyDarkWeb), stating that the hacker group ShinyHunters claims to have infiltrated internal systems related to the Anthropic Mythos model and has shared screenshots of the user management panel, AI experiment dashboard, model performance, and cost analysis. The authenticity of this information has not yet been confirmed by Anthropic.Given that many companies have previously applied to trial the related models, if the news is true, it could pose indirect security risks to leading tech companies and those in the cryptocurrency industry.

According to monitoring by the blockchain security firm SlowMist, MistEye has received threat intelligence from the community indicating that a malware named "MacSync Stealer" (v1.1.2) is active and highly destructive. This malware targets macOS users, stealing sensitive data including cryptocurrency wallets, browser credentials, system keychains, and infrastructure keys (SSH/AWS/K8s).The malware uses a spoofed AppleScript system dialog for phishing and displays fake error messages stating "unsupported" after data leakage. It has immediately synchronized this IOC (Indicator of Compromise) to clients. Do not execute unverified macOS scripts and remain highly vigilant against unexpected system password prompts. If an attack is suspected, immediate remediation is required: change all infrastructure credentials (SSH/AWS/K8s), invalidate any exposed keychains, and quickly migrate cryptocurrency assets to a secure wallet.

According to SlowMist founder Yu Xian (@evilcos), the core of the KelpDAO theft incident, which involved approximately $290 million, was a targeted poisoning attack on the downstream RPC infrastructure of LayerZero DVN (Decentralized Validator Network).The specific attack steps were: first, obtaining the list of RPC nodes used by LayerZero DVN, then breaching two independent clusters and replacing the op-geth binary file; using selective deception techniques to return forged malicious payloads only to DVN while returning real data to other IPs; simultaneously launching DDoS attacks on the unbreached RPC nodes, forcing DVN to failover to the poisoned nodes, completing the forged message verification, and then the malicious binary self-destructing and clearing logs. This ultimately led to LayerZero DVN issuing validations for "transactions that never occurred."

The Chief Information Security Officer of Slow Fog Technology, 23pds, retweeted that the internal system of the cloud hosting platform Vercel was accessed without authorization, which is suspected to be related to an internal data breach.The related tweet indicated that someone on BreachForums claimed to be ShinyHunters and is selling the so-called Vercel internal database, access keys, source code, employee accounts, API keys, NPM tokens, and GitHub tokens for $2 million. The related data is suspected to involve Vercel's internal Linear system and internal user management system.Previously, the cloud hosting platform Vercel disclosed that its internal system was accessed without authorization, affecting a small number of customers.

The Web3 asset data platform RootData has outlined the business partners of Crypto.com. Its strategy goes beyond exchange expansion, advancing through multiple paths such as payments, custody, and brand collaborations, aiming to create a comprehensive digital asset platform covering both institutional and consumer ends. * **Payment Infrastructure**: Crypto.com has integrated with Stripe, Mastercard, Yuno, TripleA, Lynq, etc., covering the complete link from checkout crypto payments to institutional-level real-time clearing. * **Institutional Trading and Custody**: VerifiedX has entrusted Crypto.com with institutional custody for its $1.5 billion digital assets; CoinRoutes provides smart order routing, CryptoStruct connects high-frequency trading, and Doblox offers AI trading terminals. * **Corporate Crypto Treasury**: Crypto.com collaborates with several Nasdaq-listed companies executing treasury strategies, including SOL Strategies, Sharps Technology, and IP Strategy. On the brand side, Crypto.com has formed deep ties with top sports IPs—renewing its partnership with **F1** until 2030 and sponsoring the Miami Grand Prix, as well as **UEFA Champions League**, **UFC**, **NBA Philadelphia 76ers**, **AFL**, and South American CONMEBOL; the long-term partnership with the LeBron James Family Foundation marks an extension of its brand collaboration into the celebrity family philanthropy sector. Additionally, Crypto.com has signed collaborations in the Middle East with Dubai Islamic Bank, DMCC, e& money, Tawasal Al Khaleej super app, and Emarat gas station network, becoming an important participant in the local digital asset compliance ecosystem. Related compilation: 【[Crypto.com Web3 Partner Network Compilation (Continuously Updated)](https://cn.rootdata.com/Archives/detail/Crypto.com%20Crypto%20Business%20Partner?k=NDc0MTU3)】 Cryptocurrency projects actively showcasing their partner networks have become a key way to enhance transparency and market trust. It is reported that RootData welcomes Web3 project parties to [claim data](https://www.rootdata.com/Projects/submit?ft=claimApply) and continues to track and open more project business relationship disclosure channels. The platform has continuously released multiple issues of the cryptocurrency project ecosystem map, nominating Web3 ecosystem partners for upstream clients such as Visa, Stripe, and Coinbase. **If you wish to nominate your project in future ecosystem maps, please fill out the 【[RootData 2026 Industry Ecosystem Mapping](https://forms.gle/tWArmXcpSfZJkh1r8)】 form to supplement your important clients and partners.**

According to official news, the blockchain security agency SlowMist recently released a security assessment report, conducting a special audit of OKX Wallet. The results showed that in the audited version, no behavior was found where the application transmitted sensitive information such as private keys or mnemonic phrases to external servers, and no risk of sensitive data leakage was detected overall.It is reported that this assessment focused on whether there were issues with the external transmission of private keys and mnemonic phrases in OKX Wallet, and the results indicated that the relevant core information was processed locally. The current handling of private keys and mnemonic phrases has become the core of wallet security, and such audit results also provide users with a more direct security reference.

The analysis of the Drift theft incident by Slow Fog pointed out that a week before the attack, Drift adjusted its multi-signature mechanism to "2/5" (1 old signer + 4 new signers) and did not set a timelock. The attacker then gained administrator privileges, forged CVT tokens, manipulated the oracle, disabled security mechanisms, and transferred high-value assets from the liquidity pool.Currently, the stolen funds have mainly been aggregated to an Ethereum address, totaling approximately 105,969 ETH (about 226 million USD). Slow Fog stated that the flow of related funds is still being tracked.

BitMine Chairman Tom Lee expressed his market views, describing the current market environment's uncertainty as the "Fog of War."Tom Lee pointed out that the word "crisis" is composed of the characters for "danger" and "opportunity," and that most market participants tend to focus only on "danger" and take action based on that when a crisis arises, neglecting the potential "opportunity" within it.

Slow Fog has once again issued a security reminder stating to pay attention to checking for malicious versions of axios and the exposure risk of OpenClaw npm global installation history. axios@1.14.1 and axios@0.3.4 have been confirmed as malicious versions, both of which have injected the dependency plain-crypto-js@4.2.1, delivering cross-platform malicious payloads through the postinstall script.The impact of OpenClaw is assessed based on scenarios: source code builds are not affected, as the locked versions in the lock file are 1.13.5/1.13.6; however, users who installed via npm install -g openclaw@2026.3.28 face historical exposure risks due to the presence of optionalDependencies.axios@^1.7.4 in the dependency chain, which may resolve to axios@1.14.1 during the time window when the malicious version is still online. Currently, npm has reverted the resolution to axios@1.14.0, but environments that were installed during the attack window are still advised to be checked. Slow Fog has provided inspection commands and IoC paths for various platforms; if the plain-crypto-js directory is found, even if the package.json has been cleaned, it should still be regarded as high-risk execution traces. It is recommended that affected hosts immediately rotate credentials and conduct host-side inspections. Previously, Slow Fog founder Yu Xian reminded that OpenClaw version 3.28 may introduce a toxic version of axios, and users need to urgently check.

Yuxian, the founder of Slow Fog, posted on the X platform stating that Coinbase has taken down the page requiring users to enter their plaintext mnemonic phrases. He pointed out that the security model of online web pages for wallets is very low, much lower than that of extensions or apps; the practice of collecting plaintext mnemonic phrases on online web pages can easily be imitated by phishing websites and has long been a common phishing technique.

The Chief Information Security Officer of Slow Fog, 23pds (Shan Ge), posted on the X platform stating that there are reports that the LiteLLM vulnerability attackers have stolen approximately 300GB of data and compromised about 500,000 credentials. He advises all cryptocurrency developers to immediately verify and quickly rotate relevant keys and credentials, check logs, access records, and the exposure of sensitive data to avoid losses similar to the Trust Wallet incident.Previously, it was reported that LiteLLM, which has a monthly download volume of 97 million, suffered a supply chain attack, allowing the simple installation to steal all sensitive credentials, including SSH keys.