New npm Packages Steal Crypto Wallet Keys via Telegram
Key Takeaways Five malicious npm packages were discovered actively stealing cryptocurrency wallet private keys. The packages leverage typosquatting and function hooking to target Solana and Ethereum...
Key Takeaways
- Five malicious npm packages were discovered actively stealing cryptocurrency wallet private keys.
- The packages leverage typosquatting and function hooking to target Solana and Ethereum developers.
- Compromised keys are exfiltrated to a Telegram bot without any visible errors to the user.
- Four of the five packages remained active at the time of discovery, posing an ongoing supply chain risk.
The cryptocurrency development ecosystem is currently grappling with a significant supply chain threat following the discovery of five malicious npm packages. These packages are engineered to surreptitiously extract private wallet keys and transmit them directly to a Telegram bot controlled by attackers.
Table Of Content
Published under the npm account “galedonovan,” these deceptive packages were crafted to mimic legitimate and widely trusted libraries frequently used by Solana and Ethereum developers.
Upon installation, the malicious code operates silently in the background, capturing sensitive key material. This exfiltration occurs without generating any errors or suspicious activity that would alert developers to the compromise, as detailed in a comprehensive report.
Dual-Blockchain Attack Vector
The attack demonstrates a broad reach, targeting both prominent blockchain ecosystems. Four of the identified packages—raydium-bs58, base-x-64, bs58-basic, and base_xd—specifically target Solana developers. They achieve this by intercepting decode() calls within the Base58 standard, a common method for loading keypairs from private key strings.
The fifth package, named ethersproject-wallet, focuses on Ethereum developers. It directly hooks into the Ethereum Wallet constructor at the precise moment a private key is passed into it.
In both scenarios, the intercepted private key is sent in plain text to a Telegram group before the legitimate function completes its execution. This immediate exfiltration grants the attacker critical access, enabling them to drain any connected cryptocurrency wallet.
Researchers at Socket.dev were instrumental in identifying all five packages. Their analysis confirmed a coordinated typosquatting campaign, noting that each package originated from the same npm account and utilized an identical hardcoded Telegram bot endpoint for data exfiltration.
The command-and-control (C2) infrastructure traced back to a single Telegram bot, @Test20131_Bot, which communicated with a receiving group managed by @crypto_sol3 (display name: Crypto_Dev, user ID: 7847516435).
Crucially, the bot token and chat ID were hardcoded within each package. This design eliminated the need for an external staging server or domain, ensuring that the theft mechanism remained functional as long as the Telegram bot remained online.
While one package, base_xd, was removed from npm merely five minutes after its publication, the other four remained accessible at the time of their discovery.

Socket’s AI-powered scanner detected base-x-64 by identifying an obfuscated exfiltration channel within src/cjs/index.cjs. This flagged that data intended for decode() was being redirected to a Telegram bot.
Takedown requests for all five malicious packages and the associated threat actor’s account have been submitted to the npm security team.
A significant challenge in detecting this threat is the seemingly normal behavior of the malicious packages. A developer integrating raydium-bs58, for instance, would receive the expected output and encounter no errors, providing no indication that their private key was being simultaneously transmitted to an unauthorized Telegram group.
How the Key Theft Works
Each package in this sophisticated campaign employs a technique known as function hooking. The attacker effectively “wraps” a legitimate function that developers commonly use to process private keys. At the moment a private key is passed, the malicious code intercepts it, sends it to the Telegram bot, and then seamlessly returns control to the original function. This ensures the function completes its intended operation, maintaining the illusion of normalcy.
In the case of raydium-bs58, the modified decode() function executes a sendMessage() call with the private key before proceeding with the actual decoding process. This ensures the key is exfiltrated even if the subsequent decoding operation fails.

The base-x-64 package incorporates an additional layer of stealth: its payload is concealed behind an array rotation cipher. This scrambles the Telegram URL, bot token, and chat ID, making it more difficult to identify during routine code reviews.
The package bs58-basic itself contains no direct malicious code. Instead, it cunningly lists base-x-64 as its sole runtime dependency, allowing the key theft to occur through a transitive dependency chain without overt red flags.
The ethersproject-wallet package is a near-perfect clone of the legitimate @ethersproject/wallet 5.8.0 release. The only alteration is a single injected line of code, inserted after the TypeScript build step, a discrepancy confirmed by a mismatch between the source map and the compiled output.
What You Should Do
- Immediately assume compromise for any private key that has passed through these malicious packages.
- Transfer all funds from affected wallets to new, secure wallets.
- Rotate all private keys that may have been exposed.
- Verify all npm package dependencies, especially transitive ones. The legitimate replacements are
bs58,base-x, and the scoped@ethersproject/walletfrom the official ethers.js monorepo. - Exercise extreme caution with any npm package that re-exports cryptographic utilities with minimal wrapping or contains obfuscated code near key-handling logic; treat such packages as suspicious until thoroughly vetted.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.