Telegram-Driven Attack Targets Crypto Developers with Malicious npm Packages

Researchers in security have found a targeted supply chain attack that is aimed at developers of cryptocurrencies. The account "galedonovan" published five malicious npm packages that were found to be typosquatting real Solana and Ethereum libraries. These packages secretly take private keys and send them straight to a threat actor's Telegram bot after they are installed.

One package was quickly taken down, but the campaign is still a big threat to developers who work with digital assets. Developers need to check their package.json files right away. If any of these bad packages are found, developers should assume that all of the private keys socket that go with them are also compromised. Users who are affected must move their money and change their keys right away.

Raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and the short-lived base_xd are the five packages that make up the campaign.

All the stolen data goes to one Telegram bot, which sends the keys to a private group run by a user named @crypto_sol3. There are no traditional malicious domains for security tools to block because the attack's Command and Control (C2) infrastructure is based only on Telegram's official API. To make the network request for this data theft, you need Node.js 18 or newer.

In older versions, the theft fails quietly without crashing the app. The malware stops calls to the Base58 decode() function for Solana developers. For Ethereum developers, it attacks the Wallet constructor in the fake ethers project-wallet package. The package uses different levels of stealth: it perfectly copies a real library and adds one line of hidden malicious code after it has been compiled.

On the other hand, the malicious bs 58-basic package acts as a trap by pulling in the malicious base-X-64 as a hidden transitive dependency.