Introdução
The cryptocurrency development community is facing a serious supply chain threat after five malicious npm packages were discovered stealing private wallet keys and forwarding them directly to a Telegram bot. Published under the npm account galedonovan, these packages were crafted to look like trusted libraries that Solana and Ethereum developers rely on every day.
Once installed, they work silently in the background, capturing key material and sending it to an attacker without triggering any visible errors. This attack targets both major blockchain ecosystems at once, putting developers and users at risk.
Como a chave foi roubada
Each package in this campaign relies on a technique known as function hooking. The attacker wraps a function that developers regularly pass private keys through, intercepts the key the moment it arrives, sends it to a Telegram bot, and then passes control back to the original function so everything appears to work normally.
In raydium-bs58, the modified decode function calls sendMessage with the key before running the actual decode, so the key is sent out even if the decode itself fails. In base-x-64, the payload hides behind an array rotation cipher that scrambles the Telegram URL, bot token, and chat ID.
The package bs58-basic carries no malicious code of its own, simply listing base-x-64 as its only runtime dependency, so the theft happens through a transitive chain without any obvious red flags.
Pacotes comprometidos
Four packages go after Solana developers by intercepting Base58 decode calls, the standard way to load a keypair from a private key string. The fifth package, ethersproject-wallet, hooks directly into the Ethereum Wallet constructor the moment a private key is passed in.
In both cases, the key travels as plain text to a Telegram group before the legitimate function finishes, giving the attacker immediate access to drain any connected wallet. One package, base_xd, was pulled from npm just five minutes after it was published, but the other four remained live at the time of discovery.
Evidências e limites
Socket.dev researchers identified all five packages as part of a coordinated typosquatting campaign, noting that each one was tied to the same npm account and used the same hardcoded Telegram bot endpoint for exfiltration.
The C2 infrastructure led to a single Telegram bot, @Test20131_Bot, with a receiving group run by @crypto_sol3. Since the bot token and chat ID were hardcoded into every package, there was no external staging server or domain needed.
Impacto e alcance
The threat is especially hard to detect because the malicious packages behave exactly like the real ones. A developer who installs raydium-bs58 would get back the correct output, see no errors, and have no reason to suspect anything.
Any developer who installed these packages should treat every private key that passed through them as fully compromised. Funds should be moved and keys rotated without delay. The legitimate replacements are bs58, base-x, and the scoped @ethersproject/wallet from the official ethers.js monorepo.
Medidas de mitigação recomendadas
Transitive dependencies must be audited, since bs58-basic silently pulls in base-x-64. Going forward, any npm package that re-exports a cryptographic utility with a thin wrapper, or contains obfuscated code near key-handling logic, should be treated as suspicious until proven otherwise.
Takedown requests for all five packages and the threat actor's account have been submitted to the npm security team. Developers should verify package integrity and use tools like Socket.dev to scan for malicious code.
Conclusão
The malicious npm packages campaign highlights the risks of supply chain attacks in the cryptocurrency ecosystem. Vigilance and regular auditing of dependencies are essential to protect private keys and funds from theft.