SlowMist has detected a malicious npm supply chain activity that utilizes fake trading robot code libraries and DeFi themed npm packages to deliver JavaScript information theft tools to npm users, DeFi developers, and trading machine users. This event involves 30 malicious npm packages, among which there are approximately 2300 highly homogeneous forks under the poly stocks account. Attackers steal sensitive data such as encrypted wallets, browser cookies, passwords, developer credentials, private keys, mnemonics, and API tokens. Developers should immediately remove the affected npm packages, audit packagejson/package-lockjson and CI logs, replace exposed wallets, private keys, npm tokens, cloud credentials, SSH keys, and API tokens, and rebuild the environment from a clean image.