A critical supply chain attack has been uncovered targeting cryptocurrency developers, with five malicious npm packages designed to exfiltrate sensitive private wallet keys directly to a Telegram bot. These packages, published under the npm account “galedonovan,” masqueraded as legitimate development tools for both Solana and Ethereum ecosystems. Once installed, they operated stealthily, capturing key material and transmitting it to an attacker-controlled Telegram channel without raising any immediate alarms.
The coordinated campaign aimed to compromise developers working with two of the most prominent blockchain platforms. Four of the identified packages—raydium-bs58, base-x-64, bs58-basic, and base_xd—specifically targeted Solana developers by intercepting Base58 decode() calls, a common method for loading keypairs from private key strings. The fifth package, ethersproject-wallet, directly injected malicious code into the Ethereum Wallet constructor when a private key was provided. In both scenarios, the private key was transmitted in plain text to a Telegram group before the intended legitimate function completed, granting the attacker immediate control to drain associated wallets.
How Malicious npm Packages Compromise Crypto Wallets
Researchers at Socket.dev identified these five npm packages as part of a deliberate typosquatting effort. All packages were linked to the same npm account and utilized a hardcoded Telegram bot endpoint for exfiltrating the stolen data. The command and control (C2) infrastructure pointed to a single Telegram bot, @Test20131_Bot, with data being received in a group managed by @crypto_sol3 (display name: Crypto_Dev, user ID: 7847516435). The hardcoded bot token and chat ID within each package eliminated the need for an external staging server or domain, meaning the theft could occur as long as the Telegram bot remained operational.
Of the malicious packages, base_xd was quickly removed from npm merely five minutes after its publication. However, the remaining four packages were still active at the time of discovery. Socket’s AI scanner detected base-x-64 by identifying obfuscated code within the src/cjs/index.cjs file, which was responsible for sending data passed to the decode() function to a Telegram bot. Following this identification, takedown requests for all five packages and the associated threat actor’s npm account have been submitted to the npm security team.
The effectiveness of this attack lies in its subtlety. The malicious npm packages mimic the behavior of their legitimate counterparts almost perfectly. Developers who installed, for instance, raydium-bs58 would receive the correct output and encounter no errors, leading them to believe their system was unaffected, even as their private keys were being transmitted to an unknown party.
Understanding the Key Theft Mechanism
The core technique employed in this campaign is function hooking. The attacker injects malicious code that wraps a function developers commonly use to handle private keys. This wrapper intercepts the private key the moment it enters the function, transmits it to the Telegram bot, and then allows the original function to execute as if nothing happened.
In the case of raydium-bs58, the modified decode() function first calls a sendMessage() function with the private key before proceeding with the actual decoding process. This ensures the key is sent out even if the decoding operation itself were to fail. For base-x-64, the exfiltration payload is further concealed using an array rotation cipher specifically designed to scramble the Telegram URL, bot token, and chat ID, making it more difficult to detect during a code review.
An additional layer of deception was utilized by the bs58-basic package. This package contained no malicious code of its own but declared base-x-64 as its sole runtime dependency. This allowed the attack to propagate through a transitive dependency chain, bypassing direct scrutiny of bs58-basic itself and hiding the malicious activity. The ethersproject-wallet package closely replicated the legitimate @ethersproject/wallet version 5.8.0, with a single line of malicious code being injected after the TypeScript build process. This injection was confirmed by an inconsistency between the source map and the compiled output.
Developers who have installed any of these five npm packages should immediately consider all private keys that were processed through them to be compromised. It is critical to move funds to new, secure wallets and rotate keys without delay. The legitimate replacements for the compromised packages include bs58, base-x, and the officially maintained @ethersproject/wallet from the ethers.js monorepo. Developers must remain vigilant about auditing transitive dependencies, as evidenced by bs58-basic silently incorporating base-x-64. Moving forward, any npm package that acts as a thin wrapper around cryptographic utilities or contains obfuscated code near key management functions should be treated with extreme suspicion until its integrity can be thoroughly verified.