Malware - Five Malicious npm Packages Target Crypto Developers

What Happened

The cryptocurrency development community is facing a serious threat. Five malicious npm packages were discovered that steal private wallet keys from developers. These packages were published under the npm account "galedonovan" and were designed to look like trusted libraries used by Solana and Ethereum developers. Once installed, they operate silently, capturing sensitive key material and sending it directly to a Telegram bot.

The malicious packages include raydium-bs58, base-x-64, bs58-basic, and base_xd, which target Solana developers. They intercept Base58 decode() calls, a common method for loading a keypair from a private key string. The fifth package, ethersproject-wallet, hooks into the Ethereum Wallet constructor to capture private keys as they are passed in. This means that as soon as a developer uses these packages, their keys are sent out as plain text, allowing attackers to drain their wallets.

Who's Being Targeted

These malicious packages primarily target developers within the Solana and Ethereum ecosystems. By masquerading as legitimate libraries, they exploit the trust developers place in npm packages. The attack is particularly insidious because it affects both major blockchain platforms simultaneously, putting a wide range of developers at risk. Developers who unknowingly install these packages may not realize their keys have been compromised until it’s too late.

Socket.dev researchers identified these packages as part of a coordinated typosquatting campaign. Each package was linked to the same npm account and used a hardcoded Telegram bot endpoint for exfiltration. The bot, @Test20131_Bot, is managed by a user identified as @crypto_sol3, further indicating a targeted approach to stealing cryptocurrency.

Signs of Infection

The key theft occurs through a technique called function hooking. This means that the attacker wraps a function that developers commonly use to handle private keys. When a key is passed through, it is intercepted and sent to a Telegram bot before the legitimate function completes. This allows the attack to go unnoticed, as everything appears to work normally.

For instance, in the raydium-bs58 package, the modified decode() function sends the key to the bot before executing the actual decode. Similarly, the base-x-64 package obscures its malicious intent by using an array rotation cipher to scramble its Telegram URL and bot token. Developers may not see any errors, leading them to believe they are using a legitimate package while their keys are compromised.

How to Protect Yourself

If you have installed any of these malicious packages, treat every private key that passed through them as compromised. Immediately move your funds and rotate your keys to prevent unauthorized access. The legitimate replacements for these packages are bs58, base-x, and the scoped @ethersproject/wallet from the official ethers.js monorepo.

Additionally, be vigilant about auditing transitive dependencies. The package bs58-basic, for example, quietly pulls in base-x-64 as its only runtime dependency, making it crucial to inspect all dependencies thoroughly. Moving forward, any npm package that re-exports cryptographic utilities or contains obfuscated code near key-handling logic should be treated with suspicion until proven safe.