News
5 May 2026, 20:21
Kelp claims that LayerZero approved the setup it blamed for $292 million bridge hack

The $292M exploit, linked to North Korean hackers, led Kelp to migrate its rsETH off LayerZero's "OFT" standard to Chainlink's "CCIP."
5 May 2026, 20:21
Kelp says LayerZero approved setup it blamed for $292 million bridge hack

The $292M exploit, linked to North Korea's Lazarus Group, led Kelp to migrate its rsETH off LayerZero's OFT standard to Chainlink's CCIP.
5 May 2026, 19:55
Malicious SAP npm packages target crypto wallet data

Four npm packages that were connected to SAP’s Cloud Application Programming Model were stolen. The hackers added code that steals crypto wallets, cloud credentials, and SSH keys from developers. According to a report from Socket, the affected package versions include: [email protected]. @cap-js/[email protected]. @cap-js/[email protected]. @cap-js/[email protected]. These packages together get about 572,000 downloads a week from the SAP developer community. npm packages steal cloud credentials and crypto wallets Security researchers explained that the hacked packages pre-install a script that downloads and runs a Bun runtime binary from GitHub. It then runs an obfuscated 11.7MB JavaScript payload. The original SAP source files are still there, but there are three additional new files: a modified package.json. setup.mjs. execution.js. These files were timestamped hours after the real code. This shows that the tarballs were changed after being downloaded from a real source. Socket called it “a strong signal of a coordinated, automated injection campaign” that the loader script is byte-identical in all four packages, even though they are in two different namespaces. When the payload runs, it checks if the system is set to Russian and stops if it is. It then branches depending on whether it finds a CI/CD environment, by checking 25 platform variables, such as GitHub Actions, CircleCI, and Jenkins, or a developer workstation. On developer computers, the malware reads more than 80 different types of credential files. These include SSH private keys, AWS and Azure credentials, Kubernetes configs, npm and Docker tokens, environment files, and crypto wallets on eleven different platforms. It also goes after configuration files for AI tools like Claude and Kiro MCP settings. The payload has two layers of encryption. A function called `__decodeScrambled()` uses PBKDF2 with 200,000 SHA-256 iterations and a salt called “ctf-scramble-v2” to get the keys needed to decrypt something. SAP payloads use GitHub as the primary channel. Source: Socket . The function name, algorithm, salt, and iteration count are the same as those in previous Checkmarx and Bitwarden payloads. This suggests that the same tools are being used in multiple campaigns. Socket is keeping an eye on the activity under the name “TeamPCP” and has made a separate tracking page for what it calls the “mini-shai-hulud” campaign. Hackers target crypto developers persistently The SAP package compromise is the most recent in a series of supply chain attacks that use package managers to steal digital asset credentials. As Cryptopolitan reported at the time, researchers found five typosquatted npm packages in March 2026 that stole private keys from Solana and Ethereum developers and sent them to a Telegram bot. ReversingLabs found a campaign called PromptMink a month later. In this campaign, a malicious package called @validate-sdk/v2 was added to an open-source crypto trading project through an AI-generated commit. Cryptopolitan’s coverage of the ReversingLabs findings says that the attack, which was linked to the North Korean state-sponsored group Famous Chollima, specifically went after crypto wallet credentials and system secrets. The SAP attack is different in size and direction. Instead of making fake packages with names that are similar to real ones, the attackers got into real, widely used packages that were kept under SAP’s namespace. Security researchers recommend that teams that use SAP CAP or MTA-based deployment pipelines check their lockfiles right away for the affected versions. Developers who installed these packages during the exposure window should change any credentials and tokens that may have been available in their build environments and check CI/CD logs for any unexpected network requests or binary execution. According to researchers, at least one affected version, @cap-js/[email protected], seems to have already been unpublished from npm. If you want a calmer entry point into DeFi crypto without the usual hype, start with this free video.
5 May 2026, 15:46
Drift unveils recovery plan after $295M DPRK-linked exploit, introduces user claim tokens

Drift Protocol has outlined a recovery plan following its $295M exploit, proposing recovery tokens and gradual payouts backed by revenue and external funding.
5 May 2026, 14:45
Tydro pauses all markets over oracle issues weeks after aiding Aave's exploit recovery

Tydro, the Aave-powered lending protocol on Ink with $247 million in deposits, halted all markets on May 4 after detecting problems with a third-party oracle provider. The shutdown comes barely two weeks after Tydro contributed to coordinated relief efforts for Aave following the $290 million KelpDAO exploit that affected the protocol. Tydro posted on X that it was “temporarily pausing all markets out of an abundance of caution following reports of issues with a third-party oracle,” adding that user funds remained safe. However, it did not provide a timeline for the restoration. How did Tydro move from rescuer to rescued? On April 23, Tydro and the Ink Foundation announced they were joining Aave and other ecosystem participants in a “coordinated DeFi relief effort” to help parties affected by the KelpDAO rsETH exploit and “support an orderly resolution for lenders and mitigate bad debt,” according to Tydro’s post at the time. That exploit, which saw around $290 million drained through uncollateralized rsETH tokens minted via a KelpDAO bridge vulnerability on April 18. The incident triggered over $15.1 billion in outflows from Aave over three and a half days. Aave saw its deposits fall from $48.5 billion to $30.7 billion as users fled to competing platforms such as Spark. Tydro, which describes itself as “a non-custodial lending protocol for onchain capital markets, powered by Aave and built on Ink,” now faces headaches of its own, even though it did not confirm if it was exploited or not. Currently, Tydro holds over $206.7 million in active loans and generated over $943,000 in fees over the past 30 days, per DeFiLlama data . Tydro’s markets remain paused after an oracle issue. Source: DeFiLlama. Has Aave recovered from the April exploit? Aave itself is yet to fully recover from the April exploit fallout. On the same day Tydro went dark, Aave LLC filed an emergency motion to vacate a restraining notice served on Arbitrum DAO on May 1 that “attempts to seize approximately $71 million in ETH belonging to victims of the April 18 exploit,” according to the protocol’s post on X. The plaintiffs who filed the restraining order claim the thief is linked to North Korea and the funds seized thereby already belong to North Korea, against whom they already have grievances. Aave disputes this position, stating, “A thief does not gain lawful ownership of stolen property simply by taking it, and the law is clear on this.” It wrote, “Those assets were recovered to be returned to users victimized in the April 18, 2026 exploit. Freezing them harms the very people this recovery effort is designed to protect.” Tydro users, on the other hand, are still in the dark on how long markets will remain frozen and whether the oracle issue has exposed any positions to liquidation risk. For now, all they have to go on is that the protocol said it is “actively investigating.” The smartest crypto minds already read our newsletter. Want in? Join them .
5 May 2026, 13:22
Ethereum Price Analysis: ETH Shows Breakout Signs but Danger Still Looms

Ethereum’s price action has transitioned into a stabilization phase after a strong reaction to this key demand zone shifted short-term sentiment. However, despite this rebound, the broader structure still reflects a market attempting to regain momentum while facing notable resistance overhead. Ethereum Price Analysis: The Daily Chart On the daily timeframe, ETH is clearly consolidating after establishing support at the critical $1.8K zone. This level has once again proven its significance, acting as a base for the current recovery phase. Since then, the price has been gradually pushing higher, but the upside remains capped by a confluence of resistance, including the upper boundary of the rising wedge structure and the key $2.4K supply zone. This overlapping resistance area is currently limiting bullish continuation and forcing the market into a consolidation range. As long as Ethereum remains below this region, it is likely to continue fluctuating within a tightening structure. A decisive breakout above the $2.4K level and the wedge resistance would signal a shift in momentum and could trigger a fresh bullish leg toward higher price levels. ETH/USDT 4-Hour Chart On the 4-hour chart, the price action is more compressed, forming a well-defined short-term range between the highlighted green support and resistance zones. ETH is currently oscillating within this narrow band, reflecting indecision among market participants. A breakout above the upper boundary of this range at $2.4K would likely lead to a continuation move toward the higher resistance cluster around the wedge’s upper boundary. Conversely, a breakdown below the lower boundary could invalidate the short-term bullish structure and expose the market to another corrective move, potentially revisiting lower support levels. This local range effectively acts as a decision zone, where the next breakout will determine the short-term direction. Sentiment Analysis From a liquidity perspective, the heatmap reveals two major liquidity clusters that are likely to influence upcoming price movements. A significant concentration of liquidity is positioned above the current price around the $2.5K region, making it an attractive target for a potential short squeeze. At the same time, another notable liquidity pool exists below the $2K threshold, which could act as a magnet in the event of renewed bearish pressure. This dual-sided liquidity structure suggests that Ethereum may first attempt to move higher toward the $2.5K region to capture upside liquidity before potentially reversing and targeting the lower liquidity zone near $2K. Such behavior would align with typical market dynamics, where the price seeks to exploit both sides of the order book before establishing a sustained trend. Overall, Ethereum remains in a consolidation phase within a broader recovery structure, but the presence of strong overhead resistance and balanced liquidity distribution suggests that volatility expansion is approaching. The interaction between the $2.4K resistance, the short-term range boundaries, and the liquidity clusters will likely define the next significant move. The post Ethereum Price Analysis: ETH Shows Breakout Signs but Danger Still Looms appeared first on CryptoPotato .







































