Holdstation, a provider of account abstraction solutions, has experienced a supply chain attack, according to ChainCatcher. The attack involved the theft of developer session tokens, allowing the attacker to bypass two-factor authentication and inject malicious code into an application update, leading to the theft of user funds.
The attack resulted in a loss of 462,000 USDT, with the attacker's address identified as 0xcbfA60B39cfAeaE475f649fB6705bD477219bF8d. In response, the Holdstation team has suspended services and pledged to fully compensate affected users. They are collaborating with security teams to investigate the incident and have issued a message on the blockchain, hoping to encourage the attacker to return the funds through a bug bounty program.