Cyberdudebivash

npm Malicious Packages: Crypto-Wallet Credential Theft Campaign Author: CyberDudeBivash

 Powered by: cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog

What happened

Security researchers uncovered four npm packages posing as cryptographic/Flashbots utilities that exfiltrate private keys and seed phrases from developers’ machines (to a Telegram bot) — a coordinated supply-chain attack on Web3 builders. SocketThe Hacker News

Packages & publisher

  • @flashbotts/ethers-provider-bundle
  • flashbot-sdk-eth
  • sdk-ethers
  • gram-utilz
    Publisher alias: flashbotts (email aning2028@gmail[.]com). Exfil path includes Telegram bot ID 8083151136 and hard-coded SMTP transport; one package also force-redirects unsigned txs to wallet 0x38F528E7…E3E02Socket

Note: Similar npm crypto-theft waves have hit recently (e.g., nodejs-smtp, Nx incident), underscoring sustained targeting of developer toolchains. The Hacker NewsTechRadar

Indicators of Compromise (quick copy)

  • Installed any of: @flashbotts/ethers-provider-bundleflashbot-sdk-ethsdk-ethersgram-utilz
  • Outbound traffic to Telegram bot/chat IDs listed above or to smtp.mailtrap.io:2525 during npm install / runtime
  • Wallet drains or transactions unexpectedly retargeted to 0x38F528E7…E3E02 Socket

What to do now (prioritized)

  1. Immediately remove the four packages from any projects and rotate all exposed secrets (private keys, mnemonics, env vars). Socket
  2. Audit your dependency tree: npm ls | grep -E "(flashbot-sdk-eth|sdk-ethers|ethers-provider-bundle|gram-utilz)".
  3. Lock & verify: enforce lockfiles (npm ci in CI), enable immutable installs, and pin exact versions.
  4. Runtime egress controls in CI/dev: block Telegram/SMTP and unknown domains during builds to catch exfil attempts.
  5. Use supply-chain scanners (e.g., Socket, Snyk) and enable guardrails for AI code assistants to prevent hallucinated package installs. SocketTechRadar
  6. Principle of least privilege for tokens: use scoped, read-only npm/GitHub tokens; store secrets in a vault, not .env files synced to repos.
  7. Hunt for artifacts: search logs for the bot/chat IDs and the Mailtrap host; review git history for added dependencies matching the above names. Socket

One-paragraph summary for your readers

A threat actor published four npm packages — @flashbotts/ethers-provider-bundleflashbot-sdk-ethsdk-ethersgram-utilz — that masquerade as Flashbots/crypto tools but steal wallet secrets to a Telegram bot and can even redirect unsigned transactions to an attacker wallet. Remove them, rotate keys, lock your supply chain, and block egress to Telegram/SMTP during builds. Socket

#CyberDudeBivash #npmSecurity #SoftwareSupplyChain #Web3 #CryptoWallets #MaliciousPackages #Flashbots #OSS #ThreatIntel #CyberDefense

Leave a comment

Design a site like this with WordPress.com
Get started