2026-05-135 mincritical

5 Malicious npm Packages Typosquat Solana and Ethereum Libraries to Steal Private Keys

A supply chain attack campaign utilizing five typosquatted npm packages targets Solana and Ethereum developers. The packages silently intercept private keys during routine cryptographic operations and exfiltrate them to a Telegram bot, leveraging transitive dependencies and obfuscation to evade detection.

Sens:■ ImmediateConf:highAnalyzed:2026-03-26reports

Authors: Socket's Threat Research Team

Actorsgaledonovan@crypto_sol3

Telegram C2 Typosquatting npm Supply Chain Cryptocurrency

Source:Socket

IOCs · 2

sha256
d747b41739349828566bfae0b522ef4b746a6f46e828a395d1f3922b66442d40Identical malicious CJS payload shared between base-x-64 and base_xd packages.
url
hxxps://api[[.]]telegram[[.]]org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessageHardcoded Telegram Bot API endpoint used for private key exfiltration.

Key Takeaways

Five malicious npm packages typosquatting Solana and Ethereum libraries were discovered stealing private keys.
The packages hook standard key-handling functions (like decode() or the Wallet constructor) to silently exfiltrate keys to a hardcoded Telegram bot.
The campaign relies on the Node.js 18+ fetch() API for exfiltration, failing silently on older runtimes.
One package (bs58-basic) acts as a transitive dependency vector, containing no malicious code itself but pulling in the malicious base-x-64 package.

Affected Systems

Node.js 18+ environments
Solana developers
Ethereum developers

Attack Chain

The threat actor publishes typosquatted npm packages mimicking legitimate Solana and Ethereum libraries. Developers inadvertently install these packages, either directly or via transitive dependencies. When the developer's application runs and processes private keys using standard functions (like decode() or the Wallet constructor), the malicious package intercepts the key material. The package then uses the native Node.js fetch() API to silently send the plaintext private key to a hardcoded Telegram bot, allowing the attacker to drain the compromised wallets.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No
Platforms: Socket

The article does not provide raw detection rules but notes that the Socket platform (AI Scanner, GitHub App, CLI, Firewall) can detect and block these malicious packages based on dependency graph analysis, obfuscation detection, and unexpected network calls.

Detection Engineering Assessment

EDR Visibility: Low — The malicious activity occurs entirely within the Node.js runtime environment using native APIs (fetch), making it difficult for standard EDRs to distinguish from legitimate application behavior without deep application-layer inspection. Network Visibility: Medium — Network monitoring can detect unexpected outbound HTTPS connections to api.telegram.org originating from development environments or production servers hosting Node.js applications. Detection Difficulty: Moderate — While the network IOCs (Telegram API) are clear, they are often lost in the noise of legitimate Telegram usage. Detecting the malicious packages requires robust SCA and dependency scanning tools.

Required Log Sources

Network flow logs
DNS query logs
Software Composition Analysis (SCA) alerts

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected outbound network connections to api.telegram.org originating from Node.js processes on developer workstations or production servers.	Network flow logs, Process execution logs	Exfiltration	Medium (Some legitimate applications may use Telegram bots for notifications)
Identify projects with dependencies on known typosquatted packages (e.g., raydium-bs58, base-x-64) by scanning package.json and package-lock.json files.	File system logs, SCA tool output	Initial Access	Low

Control Gaps

Lack of transitive dependency scanning
Permissive egress network filtering on developer endpoints

Key Behavioral Indicators

Node.js applications making unexpected calls to Telegram Bot APIs
Presence of obfuscated JavaScript arrays and rotation ciphers in node_modules
Packages re-exporting crypto primitives with thin wrappers

False Positive Assessment

Recommendations

Immediate Mitigation

Audit package.json for raydium-bs58, base-x-64, base_xd, bs58-basic, and ethersproject-wallet and remove them immediately.
Treat any private keys processed by these packages as compromised, move funds, and rotate keys immediately.

Infrastructure Hardening

Implement strict egress network filtering to block unexpected outbound connections to messaging platforms like Telegram from production servers.
Enforce allow/deny rules for npm packages in CI/CD pipelines.

User Protection

Deploy browser extensions or IDE plugins that surface risk signals for npm packages before installation.
Educate developers on verifying package names and scopes (e.g., using @ethersproject/wallet instead of typosquats).

Security Awareness

Train development teams on the risks of typosquatting and the importance of auditing transitive dependencies.

MITRE ATT&CK Mapping

T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
T1059.007 - Command and Scripting Interpreter: JavaScript
T1027 - Obfuscated Files or Information
T1552.004 - Unsecured Credentials: Private Keys
T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

Domains:
- api[.]telegram[.]org - Legitimate domain abused for C2 exfiltration.
Urls:
- hxxps://t[[.]]me/+IDl6XgFBZdI1ZjZh - Telegram Group Invite leaked in the raydium-bs58 package source code.
File Hashes:
- 5bfef9a8d08b7efb5054019383f97b5526535331 (SHA1) - ethersproject-wallet package hash
- 4e7facc47d028ecde8d4f0fe36968c79a6e9d1cd (SHA1) - base-x-64 package hash
- 0e6ad52c5377fd60065c8d91fe12485cb8c79ea7 (SHA1) - bs58-basic package hash
- 23ce64d018ff8adbb2426958794a4e718d2a30c8 (SHA1) - raydium-bs58 package hash
- 52715dc8a1b766e492e245cb798e83d50021138cc2d05ec4eacf42cbfac7541d (SHA256) - raydium-bs58/index.js file hash
- 725cde7a57d75d56f5a75a0482150461594d4558e42425ff0600dfbe5bfb7ba9 (SHA256) - base-x-64/src/esm/index.js file hash
- 73f452ad6754d669c7a86a9633ddbc1e14717434df710f306096a7a4960ca09b (SHA256) - base_xd/src/esm/index.js file hash
- 65a04d9264e3ce76137e7832d17f3e3b122e4ffdf0dac6676bed4d200ca22401 (SHA256) - bs58-basic/src/cjs/index.cjs file hash
- c3cfbc8586be14798155fbd50650bc3ca6f7a53428c14b13e372e8544b73c2f4 (SHA256) - bs58-basic/src/esm/index.js file hash
- 0ea3af80b159d812334a97842a31ba77079fdfc33a8702cdfc29a0dfe33c015a (SHA256) - ethersproject-wallet/lib/index.js file hash
- fa1ce4d1ba3aaedc3cda180d4ae0efe2b0c9d90a028a721b0f3efff6ba7e1cd5 (SHA256) - ethersproject-wallet/lib.esm/index.js file hash
File Paths:
- src/cjs/index.cjs - Location of the obfuscated exfiltration payload in base-x-64 and base_xd.
Other:
- galedonovan0121@gmail[.]com - npm registered email for the threat actor.
- @crypto_sol3 - Telegram Group Creator Username.
- 7847516435 - Telegram Group Creator User ID.