Today, our very own Executive Director Justine Bone (@justinembone) is speaking at Financial Services Explained Day in Washington, DC. Crypto ISAC is looking forward to joining a panel discussion on cryptocurrency, cybersecurity, and what meaningful protection for the digital asset ecosystem requires in practice. We’re glad to be part of the conversation with public-sector and technical cybersecurity stakeholders working to better understand emerging threats and strengthen collaboration across the ecosystem. #CryptoISAC# #Cybersecurity# #DigitalAssets# #ThreatIntelligence# #PublicPrivate#

Big News! 📣 @Ripple is now contributing high-confidence DPRK threat data through Crypto ISAC helping security teams move from awareness to action. The reality is North Korean threat actors aren’t just attacking crypto, they’re infiltrating it. The latest wave of attacks is shifting away from traditional exploits and toward something harder to detect: trusted access gained through social engineering, recruitment, and long-term deception. In our new blog with Ripple, we break down: - How these campaigns operate “from the inside out” - Why traditional indicators aren’t enough to catch them - And how shared, enriched threat intelligence is changing the equation Because in this environment, no single company can see the full picture alone. Read more 👇 #CryptoSecurity# #ThreatIntelligence# #DPRK# #Cybersecurity# #DigitalAssets# #CryptoISAC#

🚨 Threat Intelligence | Analysis of a Fake TronLink Chrome Extension Phishing Campaign 🚨 SlowMist’s MistEye threat monitoring system recently detected a high-risk phishing campaign targeting #TRON# wallet users. Attackers created a fake Chrome MV3 extension impersonating @TronLinkWallet, using Unicode bidirectional control characters and Cyrillic homoglyphs to spoof the brand name. Once installed, it loads a full phishing page via remote iframe — forming a “shell-core separation” credential theft chain. 🔍 Key Findings: 🔹 The extension name uses homoglyphs for disguise. Its Chrome Web Store page inherits the real extension’s high user count and positive reviews, significantly lowering review barriers. 🔹 Local code is extremely minimal — it only loads a remote page, making static analysis almost useless for detecting malice. 🔹 The remote phishing page perfectly replicates the official TronLink Web wallet UI, stealing mnemonic phrases, private keys, Keystore files, and passwords, then exfiltrating them in real time via Telegram Bot. 🔹 Built-in anti-analysis features (disables right-click, DevTools, drag-and-drop, printing) and geo/language-based redirection for Russian users to evade detection. ⚠️ This is not a simple fake extension — it employs advanced techniques like remote dynamic loading and anti-forensics, making it extremely difficult for traditional static scanners to catch. 🛡️ Immediate Actions : • Uninstall any suspicious extension (Malicious ID: ekjidonhjmneoompmjbjofpjmhklpjdd) • Official TronLink extension ID: ibnejdfjmmkpcnlpebklmnkoeoihofec • Clear localStorage and check for abnormal traffic • If credentials were entered, create a new wallet immediately and transfer assets 📖 Full technical analysis + IOCs + self-check guide here 👇

🚨 SlowMist TI Alert 🚨 MistEye has received critical threat intelligence regarding an active supply chain attack compromising node-ipc, a foundational Node.js library. The malicious releases have been identified as versions 9.1.6, 9.2.3, and 12.0.1. Threat actors injected an obfuscated credential-stealing payload into the CommonJS bundle. Once loaded, it silently harvests over 90 categories of developer data—including AWS, Azure, GCP, SSH, K8s tokens, and Terraform states—and exfiltrates it to attacker-controlled infrastructure. We have synchronized this IOC with our clients immediately. Detection & Remediation: Please urgently audit your environments for exposure: • Dependencies: Run npm ls node-ipc --all to identify direct or transitive inclusions. • Lockfiles: Search package-lock.json, yarn.lock, or pnpm-lock.yaml for the affected version ranges. • CI/CD: Review pipeline jobs executed after May 14, 2026, that may have pulled loose semver updates (~9.1.x, ^12, etc.). ⚠️ Critical Action: If a compromised version was installed, assume certain compromise. Do not wait for exfiltration confirmation. Downgrade to a known safe version immediately and aggressively rotate all credentials, tokens, and environment secrets present on the affected machine or CI runner. As always, stay vigilant!

🚨 SlowMist TI Alert 🚨 MistEye has monitored threat intelligence regarding a sophisticated supply chain campaign targeting official Checkmarx distribution channels. The attack involved maliciously overwriting tags in the checkmarx/kics Docker Hub repository and injecting remote payload execution logic into specific extension versions, including checkmarx/cx-dev-assist (1.17.0, 1.19.0) and checkmarx/ast-results (2.63.0, 2.66.0). This campaign specifically aims to exfiltrate developer and cloud credentials to obtain GitHub and npm tokens for lateral propagation. Consequently, this propagation has led to the compromise of the @bitwarden/cli@2026.4.0 package, which now contains a malicious file named bw1.js. These IOCs have been synchronized with clients immediately. It is advised to avoid unverified checkmarx/kics Docker images and strictly refrain from using the compromised extension or CLI versions mentioned above. Immediate auditing of development environments and rotation of any potentially exposed credentials or tokens is strongly recommended. As always, stay vigilant!

The Crypto ISAC team is heading to #Consensus2026#. Justine Bone (@justinembone), Christina Spring (@ccravens67) , Henry Beaudin (@henrybeaudin) and Tiago Assumpcao (@coconuthaxor) are all looking forward to connecting with members, partners, and new faces across the ecosystem to talk: - threat intelligence - security coordination - digital asset resilience - and where the industry is headed next If you’ll be there, let’s find time to connect. #Consensus2026# #CryptoSecurity# #Cybersecurity# #DigitalAssets# #CryptoISAC#