On June 3, 2026, Microsoft Threat Intelligence revealed a new supply-chain attack targeting cryptocurrency users through two compromised npm packages. The packages, utils-terminal@3.2.1 and logger-active@3.2.1, were found to contain a remote access trojan (RAT) capable of capturing keystrokes, screenshots, and cryptocurrency wallet credentials. The malware abused Hugging Face APIs and repositories to exfiltrate stolen data, masking its activity by leveraging a trusted platform for artificial intelligence development.
The attack underscores growing risks in software supply chains, particularly for developers who may unknowingly install infected dependencies. According to Microsoft, the RAT could harvest sensitive information from development machines, including browser wallets, API keys, cloud credentials, and source code access—potentially granting attackers control over wallets, trading bots, and infrastructure. The incident is part of a broader pattern of cybercriminals targeting open-source registries like npm, PyPI, and Rust ecosystems to reach a wider pool of victims.
Microsoft advised developers to review installed packages, remove suspicious dependencies, rotate exposed credentials, and monitor wallet activity. Security experts also stressed the importance of storing seed phrases offline and verifying software sources before integration. While the attack does not compromise blockchain networks themselves, it highlights the need for heightened vigilance among crypto users and developers.
