The cryptocurrency ecosystem has experienced multiple security incidents within a 24-hour window, highlighting three distinct attack vectors targeting users, investors, and software developers. Fraudsters impersonated SecondFi through fake browser extensions and applications designed to steal wallet access. An early Solana whale wallet was compromised, resulting in the theft of 180,900 SOL valued at approximately $14.2 million. Meanwhile, a sophisticated software supply chain attack compromised the jscrambler npm package after attackers stole publishing credentials, releasing multiple malicious versions containing information-stealing code.
Crypto scams are becoming increasingly prevalent, drawing widespread attention. More than three breaches occurred in the past 24 hours, with several notable cases.
SecondFi fell victim to a scam where fraudsters impersonated the platform by developing phony browser extensions and applications intended to steal cryptocurrency or access users’ wallets. According to SecondFi, the team clarified that there is no new application or link, it is the same. The team asserted it will never ask users to download software, click links, sign transactions, or transfer assets through direct messages or emails. To prevent phishing scams and money theft, the team advised users to install only the official Chrome extension with a blue verified checkmark and access SecondFi via its official website.
In a second incident, blockchain investigator ZachXBT claims that an early Solana whale wallet was compromised, resulting in the theft of 180,900 SOL worth $14.2 million. On-chain data showed the wallet displayed unusual unstaking activity, indicating the attacker took over staked assets before transferring them to newly created Solana addresses. The stolen assets were later bridged from Solana to Ethereum to obscure transaction trails, and the investigation asserted that some money had already been transferred using Tornado Cash.
Finally, the jscrambler npm package became the target of a software supply chain attack after an attacker allegedly stole login credentials needed to release new versions. An information-stealing payload was included in malicious releases 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20. These releases ran malicious code on Linux, macOS, or Windows systems, initially distributed through a preinstall script. In versions 8.18.0 and 8.20.0, the attacker incorporated malicious code directly into the package, evading security measures like npm install –ignore-scripts. According to jscrambler, the attack was made possible by compromised npm publishing credentials, and developers were urged to update immediately to version 8.22.0 containing the fix.
