Drift

A researcher says malicious npm packages [email protected] and [email protected] were published briefly and used to deploy WAVESHAPER.V2, a cross-platform RAT attributed to UNC1069. The malware was delivered via a post-install hook, meaning no user clicks were required beyond a normal npm install, and it’s believed at least one security council member’s key may have been exfiltrated during the ~3-hour window.

Whale watchers flagged $147M in stablecoin movements on April 1: a $35.8M USDT withdrawal from OKEx (Tron) and a $111.2M USDC$1.0005 transfer on Ethereum. The timing coincides with market caution following the Drift exploit and weak crypto sentiment, though the transfers' ultimate intent remains unclear.

On April 1, reports from Lookonchain indicate the Drift Protocol exploiter swapped $270M+ worth of stolen assets into USDC$1.0005, bridged to Ethereum$1,686.33, and bought ETH. The attacker reportedly purchased 19,913 ETH for about $42.6M, then increased to 38,820 ETH for about $82.66M as activity continued. Drift Protocol says it is investigating unusual activity and asks users not to deposit while holders migrate positions; Phantom has issued an access warning for users.