Five bad packages were found that stole private wallet keys and sent them straight to a Telegram bot This article explores threat bad packages. . The packages were made to look like libraries that Solana and Ethereum developers use every day and trust.
Once installed, they work quietly in the background, collecting important information and sending it to an attacker. One package, base_xd, was taken off of npm just five minutes after it was published, but the other four were still available at the time of discovery. The npm security team has received requests to take down all five packages and the account of the person who made the threat. The attack hits both of the biggest blockchain networks at the same time.
It's hard to find the threat because the bad packages act just like the real ones.
If a developer installs raydium-bs58, they would get the right output, see no errors, and have no reason to think anything is wrong. The payload is hidden behind an array rotation cipher that mixes up the Telegram URL, bot token, and chat ID, making it harder to find. Anyone who installed these packages should assume that every private key that went through them was completely compromised.
Without delay, money should be moved and keys should be changed. The real replacements are bs58, base-x, and the scoped @ethersproject/wallet from the official ethers.js monorepo. You need to check transitive dependencies because bs 58-basic silently pulls in base-X-64.
From now on, any npm package that re-exports a cryptographic tool with a thin wrapper or has code that is hard to read near key-handling logic should be seen as suspicious until proven otherwise. For more ZeroOwl security tips and tricks, click here. If you need help but don't want anyone to know, call the National Suicide Prevention Lifeline at 1-800-273-8255 or go to http://www.suicidepreventionlifeline.org/.
In the U.S., you can get help by calling the Samaritans at 08457 90 90 90 or going to a nearby Samaritans branch.
