Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/New npm Packages Steal Crypto Wallet Keys via Telegram
Threats

New npm Packages Steal Crypto Wallet Keys via Telegram

Key Takeaways Five malicious npm packages were discovered actively stealing cryptocurrency wallet private keys. The packages leverage typosquatting and function hooking to target Solana and Ethereum...

Emy Elsamnoudy
Emy Elsamnoudy
March 25, 2026 4 Min Read
44 0

Key Takeaways

  • Five malicious npm packages were discovered actively stealing cryptocurrency wallet private keys.
  • The packages leverage typosquatting and function hooking to target Solana and Ethereum developers.
  • Compromised keys are exfiltrated to a Telegram bot without any visible errors to the user.
  • Four of the five packages remained active at the time of discovery, posing an ongoing supply chain risk.

The cryptocurrency development ecosystem is currently grappling with a significant supply chain threat following the discovery of five malicious npm packages. These packages are engineered to surreptitiously extract private wallet keys and transmit them directly to a Telegram bot controlled by attackers.

Table Of Content

  • Key Takeaways
  • Dual-Blockchain Attack Vector
  • How the Key Theft Works
  • What You Should Do

Published under the npm account “galedonovan,” these deceptive packages were crafted to mimic legitimate and widely trusted libraries frequently used by Solana and Ethereum developers.

Upon installation, the malicious code operates silently in the background, capturing sensitive key material. This exfiltration occurs without generating any errors or suspicious activity that would alert developers to the compromise, as detailed in a comprehensive report.

Dual-Blockchain Attack Vector

The attack demonstrates a broad reach, targeting both prominent blockchain ecosystems. Four of the identified packages—raydium-bs58, base-x-64, bs58-basic, and base_xd—specifically target Solana developers. They achieve this by intercepting decode() calls within the Base58 standard, a common method for loading keypairs from private key strings.

The fifth package, named ethersproject-wallet, focuses on Ethereum developers. It directly hooks into the Ethereum Wallet constructor at the precise moment a private key is passed into it.

In both scenarios, the intercepted private key is sent in plain text to a Telegram group before the legitimate function completes its execution. This immediate exfiltration grants the attacker critical access, enabling them to drain any connected cryptocurrency wallet.

Researchers at Socket.dev were instrumental in identifying all five packages. Their analysis confirmed a coordinated typosquatting campaign, noting that each package originated from the same npm account and utilized an identical hardcoded Telegram bot endpoint for data exfiltration.

The command-and-control (C2) infrastructure traced back to a single Telegram bot, @Test20131_Bot, which communicated with a receiving group managed by @crypto_sol3 (display name: Crypto_Dev, user ID: 7847516435).

Crucially, the bot token and chat ID were hardcoded within each package. This design eliminated the need for an external staging server or domain, ensuring that the theft mechanism remained functional as long as the Telegram bot remained online.

While one package, base_xd, was removed from npm merely five minutes after its publication, the other four remained accessible at the time of their discovery.

The galedonovan profile (Source - Socket.dev)
The galedonovan profile (Source – Socket.dev)

Socket’s AI-powered scanner detected base-x-64 by identifying an obfuscated exfiltration channel within src/cjs/index.cjs. This flagged that data intended for decode() was being redirected to a Telegram bot.

Takedown requests for all five malicious packages and the associated threat actor’s account have been submitted to the npm security team.

A significant challenge in detecting this threat is the seemingly normal behavior of the malicious packages. A developer integrating raydium-bs58, for instance, would receive the expected output and encounter no errors, providing no indication that their private key was being simultaneously transmitted to an unauthorized Telegram group.

How the Key Theft Works

Each package in this sophisticated campaign employs a technique known as function hooking. The attacker effectively “wraps” a legitimate function that developers commonly use to process private keys. At the moment a private key is passed, the malicious code intercepts it, sends it to the Telegram bot, and then seamlessly returns control to the original function. This ensures the function completes its intended operation, maintaining the illusion of normalcy.

In the case of raydium-bs58, the modified decode() function executes a sendMessage() call with the private key before proceeding with the actual decoding process. This ensures the key is exfiltrated even if the subsequent decoding operation fails.

Telegram Bot API getChatAdministrators response (Source - Socket.dev)
Telegram Bot API getChatAdministrators response (Source – Socket.dev)

The base-x-64 package incorporates an additional layer of stealth: its payload is concealed behind an array rotation cipher. This scrambles the Telegram URL, bot token, and chat ID, making it more difficult to identify during routine code reviews.

The package bs58-basic itself contains no direct malicious code. Instead, it cunningly lists base-x-64 as its sole runtime dependency, allowing the key theft to occur through a transitive dependency chain without overt red flags.

The ethersproject-wallet package is a near-perfect clone of the legitimate @ethersproject/wallet 5.8.0 release. The only alteration is a single injected line of code, inserted after the TypeScript build step, a discrepancy confirmed by a mismatch between the source map and the compiled output.

What You Should Do

  • Immediately assume compromise for any private key that has passed through these malicious packages.
  • Transfer all funds from affected wallets to new, secure wallets.
  • Rotate all private keys that may have been exposed.
  • Verify all npm package dependencies, especially transitive ones. The legitimate replacements are bs58, base-x, and the scoped @ethersproject/wallet from the official ethers.js monorepo.
  • Exercise extreme caution with any npm package that re-exports cryptographic utilities with minimal wrapping or contains obfuscated code near key-handling logic; treat such packages as suspicious until thoroughly vetted.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Critical ClawHub Vulnerability Lets Attackers Manipulate Skill Rankings

Next Post

Critical TP-Link Omada Flaws Let Attackers Remotely Run Commands

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us