Malicious npm Packages Target Solana and Ethereum Developers in Supply Chain Attack
A recent supply chain attack has compromised cryptocurrency developers by distributing five malicious npm packages that steal wallet private keys and exfiltrate them to a Telegram-based command-and-control (C2) server. The packages, published under the npm account galedonovan, impersonate legitimate crypto libraries to target both Solana and Ethereum ecosystems.
The identified packages raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and the briefly published base_xd were designed to intercept private key operations. For Solana developers, the packages hijack Base58 decode() calls, while the Ethereum-focused ethersproject-wallet triggers malicious code within the Wallet constructor. In all cases, stolen keys are sent to a hardcoded Telegram bot (@Test20131_Bot) before legitimate operations complete, allowing attackers to drain compromised wallets.
The attack leverages typosquatting and dependency confusion, with some packages (bs58-basic) containing no malicious code themselves but relying on base-x-64 to execute the theft. Obfuscation techniques, including array-rotation ciphers, were used to conceal the Telegram C2 endpoint, though one package (raydium-bs58) accidentally exposed the bot token and group invite URL in a comment.
The campaign, active as of March 23, 2026, was discovered by Socket, which submitted takedown requests for the packages and the associated npm account. However, four of the five packages remained available in the registry at the time of analysis. The attack infrastructure relies solely on the Telegram bot, meaning exfiltration remains operational as long as the bot is active.
Attribution artifacts such as shared typos in package.json, identical compiled binaries, and uniform file timestamps strongly suggest a single developer behind the campaign. The operator’s Telegram handle (@crypto_sol3) was linked to the bot’s administration group. The malicious packages exploit Node.js 18+ environments, failing silently on older versions due to a missing fetch() API dependency.
Developers are advised to remove the affected packages and treat any exposed keys as compromised, though the summary strictly focuses on the incident’s details.
Source: https://gbhackers.com/five-malicious-npm-packages/
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
Solana Labs cybersecurity rating report: https://www.rankiteo.com/company/solanalabs
Ethereum cybersecurity rating report: https://www.rankiteo.com/company/ethereum
"id": "NPMSOLETH1774427254",
"linkid": "npm-inc-, solanalabs, ethereum",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cryptocurrency/Blockchain',
'name': 'Solana and Ethereum developers',
'type': 'Developers'}],
'attack_vector': ['Typosquatting', 'Dependency Confusion'],
'customer_advisories': 'Developers advised to remove affected packages and '
'rotate compromised keys.',
'data_breach': {'data_exfiltration': 'Yes (to Telegram C2 server)',
'personally_identifiable_information': 'Private keys '
'(indirectly linked to '
'identities)',
'sensitivity_of_data': 'High (cryptocurrency wallet access)',
'type_of_data_compromised': 'Wallet private keys'},
'date_detected': '2026-03-23',
'description': 'A recent supply chain attack has compromised cryptocurrency '
'developers by distributing five malicious npm packages that '
'steal wallet private keys and exfiltrate them to a '
'Telegram-based command-and-control (C2) server. The packages '
'impersonate legitimate crypto libraries to target both Solana '
'and Ethereum ecosystems.',
'impact': {'data_compromised': 'Wallet private keys',
'identity_theft_risk': 'High (private keys stolen)',
'operational_impact': 'Compromised cryptocurrency wallets',
'payment_information_risk': 'High (cryptocurrency wallets drained)',
'systems_affected': 'Node.js 18+ environments'},
'initial_access_broker': {'backdoors_established': 'Telegram C2 bot',
'entry_point': 'Malicious npm packages',
'high_value_targets': 'Solana and Ethereum '
'developers'},
'investigation_status': 'Ongoing (malicious packages partially removed)',
'motivation': 'Financial gain through cryptocurrency theft',
'post_incident_analysis': {'corrective_actions': ['Takedown of malicious '
'packages',
'Developer awareness and '
'key rotation'],
'root_causes': ['Typosquatting',
'Dependency confusion',
'Obfuscated malicious code in npm '
'packages']},
'recommendations': 'Remove affected npm packages, treat exposed keys as '
'compromised, and verify dependencies for '
'typosquatting/dependency confusion risks.',
'references': [{'source': 'Socket'}],
'response': {'communication_strategy': 'Developer advisories to remove '
'packages',
'containment_measures': 'Takedown requests for malicious npm '
'packages',
'remediation_measures': 'Remove affected packages and treat '
'exposed keys as compromised',
'third_party_assistance': 'Socket (submitted takedown requests)'},
'threat_actor': '@crypto_sol3',
'title': 'Malicious npm Packages Target Solana and Ethereum Developers in '
'Supply Chain Attack',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Malicious npm packages impersonating legitimate '
'libraries'}