Monday, April 6, 2026

Whether it’s admin keys or npm tokens, attackers aren’t breaking systems - they’re inheriting trust that was never meant to be exposed.

This week:

• Drift Protocol lost $286M after its admin private keys were compromised, giving the attacker full control over protocol vaults. With privileged access, they drained liquidity across multiple vaults within an hour, then swapped and bridged funds across chains in a premeditated operation consistent with DPRK playbooks.

• Axios became a malware distribution channel after a compromised npm token let attackers push poisoned versions of one of JavaScript’s most widely used libraries. By modifying only package dependencies, they slipped a RAT into millions of installs, bypassing GitHub visibility and turning routine updates into credential harvesting at scale.

OpenClaw Security Report (46 min read)
OpenClaw scaled like a side project and shipped like one. Built for “trusted” local use, it was dropped into production with root-level access, weak identity checks, and a plugin ecosystem that doubled as a supply chain attack surface.

Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly (8 min read)
Google’s latest research shows breaking elliptic curve crypto may require far fewer resources than expected, putting most blockchain security assumptions on a shrinking timeline.

Month in Review: Top DeFi Hacks of March 2026 (4 min read)
Fewer hacks, same story. One protocol didn’t understand its own token standard, another ignored a known edge case, and a third trusted an off-chain key to decide how much money to mint.

Explained: The Axios Hack (March 2026) (4 min read)
A trusted package pushed a clean update - except it wasn’t. A stolen npm token let the attacker slip a malicious dependency into axios, turning installs into RAT deployments across millions of machines. No code changed, no alarms triggered - just one poisoned dependency quietly spreading access.

Infostealers to Cloud Takeovers: Detect and Break Session Replay Chains (6 min read)
One stolen cookie is all it takes. Infostealers don’t stop at credentials - they lift active sessions and hand attackers a ready-made login, no password or MFA required. From there, it’s not intrusion, it’s continuation: replay the session, escalate privileges, and lock in persistence before anyone notices.

Fake P2P traders pose as exchange support and disappear with funds. Victims send fiat or crypto expecting a trade, but the “intermediary” controls both sides - turning it into a one-way transaction.

A $9.3M exploit dispute spills into court instead of crypto twitter. Accusations around the Resupply hack escalated into harassment claims, showing how unclear accountability after exploits turns technical failures into personal attacks.

A DNS hijack redirected users to a malicious Steakhouse frontend. Attackers social-engineered the hosting provider to reroute traffic, turning the interface into a trap while the smart contracts kept running untouched.

ClickFix tricks users into infecting themselves with DeepLoad malware. Victims paste fake “fixes” into PowerShell, triggering a loader that steals browser credentials and quietly re-infects the system days later using built-in Windows features

Crypto-funded “revenge-for-hire” services move offline harassment into a paid marketplace. Customers pay in crypto to outsource threats, vandalism, and intimidation, turning anonymous transactions into real-world attacks with little friction.

MuTON and mewt: Two new open-source mutation testing tools from Trail of Bits built for the agentic era, with MuTON focused on TON languages and mewt acting as the language-agnostic core for Solidity, Rust, Go, and more.

Blockchain Intelligence Agents: Chainalysis’ new agent push brings AI into investigations and compliance workflows, trained on millions of past investigations to help analysts trace funds and surface suspicious patterns faster.

FORGE-Curated: A newly released EVM smart contract vulnerability dataset built for research and benchmarking, updated with manually verified findings from audit reports through early 2026 to support tasks like LLM-based auditing and vulnerability analysis.

Giskard OSS v3: A rebuilt open-source eval and red-teaming library for the agentic era, focused on testing LLM and agent behavior under adversarial conditions.

Three years ago, SushiSwap showed how one bad router can turn token approvals into an open drain. A flawed callback in the RouteProcessor2 contract let attackers impersonate a pool and pull funds from any approved wallet, draining ~$3.3M across chains. Same approval risk, same trust in new contracts, same reminder that in DeFi, you don’t need to hack them - you just wait for them to approve the wrong thing.

A million infected machines, hundreds of millions stolen, and the guy behind it still chilling in Russia. GameOver Zeus wasn’t just cybercrime - it doubled as state-friendly espionage with built-in plausible deniability.

Skip the bots, hit the brains.

Get your message in front of the sharpest, most battle-tested crowd in crypto.

If they notice you, the whole space will. [Partner with us]

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.