Crypto Tools Under Attack as Apifox Breach Exposes Sensitive Data

A major security scare has emerged after researchers uncovered a supply chain attack targeting the Apifox desktop client, an API development platform. According to SlowMist, attackers were able to compromise an official CDN-hosted script, slipping malicious code into what appeared to be a trusted analytics file. Because Apifox runs on Electron, the infected script executed automatically across users’ systems worldwide—without any action required.

Once active, the malware silently harvested sensitive data, including login tokens, system information, and API credentials, and transmitted it to attacker-controlled servers. Even more concerning, it enabled remote code execution, effectively giving attackers the ability to access and control affected machines in the background.

The case reflects a wider pattern of similar attacks seen recently across crypto and cloud development tools.

Apifox CDN injection and data theft mechanics

The attack reportedly started when the official Apifox CDN script file was tampered with. Because the desktop app is built on Electron, it automatically loads this script every time it starts and during normal use, which allows the malicious code to run without any user action.

Upon entering, this code was heavily disguised to prevent detection. Various methods, including obfuscation, RC4 encryption for hiding texts, and complex calculations, were used to prevent security software and experts from understanding what this code was doing.

In addition to this, communication with a command server outside the network was established. This is called “beaconing.” By doing this, the malware sent out information repeatedly and thus allowed for data theft over time.

Meanwhile, communication between this infected computer and the server belonging to the attackers is encrypted using RSA. While this ensures security for the information being sent, it also makes it more difficult for experts to trace and analyze what is being sent.

LiteLLM breach and wider crypto supply chain risks

In a separate case, security researchers recently reported a breach involving LiteLLM after malicious code was added to PyPI package versions 1.82.7 and 1.82.8. The compromised updates are believed to have exposed a large amount of sensitive data, including roughly 300GB of information and about 500,000 user credentials worldwide.

As a result, developers and organizations may have been put at risk across multiple systems, including SSH keys and cloud services such as AWS, Google Cloud, Azure, as well as Kubernetes and database environments. These credentials could potentially allow attackers deeper access into the affected infrastructure.

In a similar vein, the chief security researcher at SlowMist, 23pds, called on the developers to act fast by checking the system, replacing all relevant keys and credentials, and checking the logs for signs of compromise, stating that failure to act fast might lead to dire consequences, as seen in the past, including the breach experienced by the Trust Wallet team.

In addition, security researchers have earlier linked some of these activities to North Korea-associated threat campaigns targeting crypto platforms and exchange service providers. According to the reports, attackers have been using stolen AWS credentials, Terraform configurations, Docker images, and Kubernetes clusters to gain deeper access into systems.

The incidents underline growing risks in software supply chains, showing how easily attackers can exploit trusted tools and services. Organizations need to carefully review the third-party libraries and dependencies they rely on and keep a close eye on the integrity of scripts and files pulled from CDNs.

Also Read: Balancer Labs Shuts Down: Protocol Pivots to DAO After $128M Exploit

Follow The Crypto Times on Google News to Stay Updated!