Malicious npm Packages Target Ethereum and Solana Developers

Malicious npm packages have been discovered targeting developers in the Ethereum and Solana ecosystems. The five packages were published under a single account and rely on typosquatting, mimicking legitimate crypto libraries.

The malicious campaign uses social engineering tactics to trick developers into installing the packages, which then steal private keys and send them to an attacker's Telegram bot. This makes the attack invisible to unaware developers, as the package sends the key to the attacker before returning the expected result.

Security researchers from Socket found the malicious packages and submitted takedown requests to npm. The researchers noted that four of the packages target Solana developers, while one targets Ethereum developers. The packages use global fetch, which requires Node.js 18 or later, and send data to a hardcoded Telegram endpoint.