Five Malicious npm Packages Target Crypto Developers, Exfiltrate Wallet Keys via Telegram

Home Cyber Security News Five Malicious npm Packages Target Crypto Developers, Exfiltrate Wallet Keys via Telegram The cryptocurrency development community is facing a serious supply chain threat after five malicious npm packages were discovered stealing private wallet keys and forwarding them directly to a Telegram bot. Published under the npm account “galedonovan,” these packages were crafted to look like trusted libraries that Solana and Ethereum developers rely on every day. Once installed, they work silently in the background, capturing key material and sending it to an attacker without triggering any visible errors. The attack targets both major blockchain ecosystems at once. Four packages — raydium-bs58, base-x-64, bs58-basic, and base_xd — go after Solana developers by intercepting Base58 decode() calls, the standard way to load a keypair from a private key string. The fifth package, ethersproject-wallet, hooks directly into the Ethereum Wallet constructor the moment a private key is passed in. In both cases, the key travels as plain text to a Telegram group before the legitimate function finishes, giving the attacker immediate access to drain any connected wallet. Socket.dev researchers identified all five packages as part of a coordinated typosquatting campaign, noting that each one was tied to the same npm account and used the same hardcoded Telegram bot endpoint for exfiltration. The C2 infrastructure led to a single Telegram bot, @Test20131_Bot, with a receiving group run by @crypto_sol3 (display name: Crypto_Dev, user ID: 7847516435). Since the bot token and chat ID were hardcoded into every package, there was no external staging server or domain needed — the theft worked as long as the Telegram bot stayed online. One package, base_xd, was pulled from npm just five minutes after it was published, but the other four remained live at the time of discovery.  The galedonovan profile (Source – Socket.dev) Socket’s AI scanner caught base-x-64 by spotting the obfuscated exfiltration channel inside src/cjs/index.cjs and flagging that data passed to decode() was being sent to a Telegram bot  Takedown requests for all five packages and the threat actor’s account have been submitted to the npm security team. The threat is especially hard to detect because the malicious packages behave exactly like the real ones. A developer who installs raydium-bs58 would get back the correct output, see no errors, and have no reason to suspect anything — even as their private key is sent to a stranger’s Telegram group. How the Key Theft Works Each package in this campaign relies on a technique known as function hooking. The attacker wraps a function that developers regularly pass private keys through, intercepts the key the moment it arrives, sends it to a Telegram bot, and then passes control back to the original function so everything appears to work normally. In raydium-bs58, the modified decode() function calls sendMessage() with the key before running the actual decode, so the key is sent out even if the decode itself fails.  Telegram Bot API getChatAdministrators response (Source – Socket.dev) In base-x-64, the payload hides behind an array rotation cipher that scrambles the Telegram URL, bot token, and chat ID, making it harder to spot during a code review. The package bs58-basic carries no malicious code of its own — it simply lists base-x-64 as its only runtime dependency, so the theft happens through a transitive chain without any obvious red flags. The ethersproject-wallet package clones the legitimate @ethersproject/wallet 5.8.0 release nearly perfectly, with just a single injected line inserted after the TypeScript build step, confirmed by a mismatch between the source map and compiled output. Any developer who installed these packages should treat every private key that passed through them as fully compromised. Funds should be moved and keys rotated without delay. The legitimate replacements are bs58, base-x, and the scoped @ethersproject/wallet from the official ethers.js monorepo. Transitive dependencies must be audited, since bs58-basic silently pulls in base-x-64. Going forward, any npm package that re-exports a cryptographic utility with a thin wrapper, or contains obfuscated code near key-handling logic, should be treated as suspicious until proven otherwise. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News ClawHub Vulnerability Let Attackers Manipulate Rankings to Become the #1 Skill Cyber Security News Google Authenticator’s Hidden Passkey Architecture Could Open New Passwordless Attack Paths Cyber Security News FCC Banned Foreign-made Consumer Routers Over Security Risks Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026