In accordance with the rsETH technical recovery plan, WETH LTVs on Aave V3 Ethereum Core, Ethereum Prime, Arbitrum, Base, Mantle, and Linea have been restored to their pre-incident values. WETH now operates as normal across all affected V3 deployments.

Microsoft is investigating a new, emerging Mini Shai-Hulud npm supply chain attack targeting antv packages. Attackers compromised an antv maintainer account and published malicious versions of multiple widely used packages (for example, antv/g2). As these packages are widely used as dependencies, the compromise propagated into downstream libraries like echarts-for-react, impacting a much broader set of applications and continuous integration (CI) environments. All compromised packages contain a byte-identical, obfuscated credential-stealing payload delivered via a preinstall hook (Bun). The malware targets high-value secrets including: - GitHub personal access tokens (PATs) and OpenID Connect (OIDC) tokens - npm / Amazon Web Service (AWS) credentials and Security Token Service (STS) sessions - Secure Shell (SSH) keys, kubeconfigs, and .env / .npmrc files - Software-as-a-service (SaaS) tokens (Slack, Stripe, Vault) Exfiltration occurs over HTTPS with Transport Layer Security (TLS) validation disabled. The payload also abuses stolen OIDC tokens to forge Supply-chain Levels for Software Artifacts (SLSA) provenance and propagate malicious releases, exhibiting worm-like behavior across repositories. Malicious files distributed through npm packages are detected by Microsoft Defender as Trojan:AIGen/NPMStealer , "Suspicious Node.js process behavior", or “Credential access attempt”, preventing credential theft and malicious post-install execution. Mitigation: - Audit dependencies for affected antv and related packages; pin or downgrade to known-good versions (pre-2025-05-18). - Revoke and rotate exposed credentials (GitHub, npm, cloud tokens, SSH keys). - Validate integrity of CI pipelines and recent build artifacts. - Network IOC: Stolen credentials are exfiltrated over HTTPS to t.m-kosche[.]com:443. Block at egress and review network logs for outbound connections.