New NPM Supply Chain Campaign Identified : A Multi-Stage Cryptocurrency Malware with More Than 2.7 million Downloads.
Cyfirma Research identified a cryptocurrency-focused software supply chain campaign involving multiple malicious npm packages targeting blockchain developers, Web3 projects, cryptocurrency wallet operators, and cloud-native development environments. Notably, one of the identified packages, moralis-sdk, had accumulated more than 2.7 million downloads, significantly increasing the potential reach and impact of the campaign.
The investigation began with the discovery of ethers-jss and coinbase-wallet-utils, two malicious packages impersonating legitimate blockchain development utilities. Through publisher pivoting, infrastructure analysis, and code correlation, the investigation expanded to a total of eleven highly suspicious npm packages exhibiting overlapping tactics and objectives.
The identified packages employed typosquatting, brand impersonation, npm lifecycle hook abuse, credential harvesting, wallet theft, remote payload delivery, and blockchain-based command-and-control mechanisms. Analysis revealed three operational clusters: a credential theft campaign targeting Web3 developers (ethers-jss and coinbase-wallet-utils), a trojanized package delivering multi-stage malware (moralis-sdk), and a long-running typosquatting campaign (Ganach, Solidty, and Stelar-sdk) leveraging blockchain-hosted infrastructure and cross-platform payload delivery.
The npm user ethcompat published five (5) malicious packages (hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, and ethereum-dev-utils) that collectively accumulated 2,236 downloads while masquerading as legitimate Ethereum and Web3 development utilities.
Technical analysis uncovered capabilities including cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, remote activation mechanisms, blockchain-based infrastructure retrieval, and multi-stage malware deployment.
The findings demonstrate how threat actors continue to weaponize trusted open-source ecosystems to compromise cryptocurrency developers and development infrastructure. The scale of distribution observed, particularly the 2.7+ million downloads associated with moralis-sdk, highlights the potential impact of malicious dependencies and reinforces the need for rigorous dependency auditing, package verification, and continuous software supply chain monitoring.
The widespread adoption of open-source software has significantly accelerated innovation across blockchain and Web3 ecosystems. Modern cryptocurrency applications, decentralized finance platforms, NFT marketplaces, and blockchain infrastructure projects rely heavily on publicly available npm packages to reduce development time and simplify integration of complex functionality. While this model provides substantial benefits to developers, it also creates an attractive attack surface for threat actors seeking to compromise downstream users through software supply chain attacks.
In recent years, malicious actors have increasingly targeted open-source package repositories by publishing trojanized libraries, typosquatting packages, and malicious dependency updates designed to execute code automatically during installation. These attacks enable adversaries to gain access to developer environments, steal credentials, compromise infrastructure, and deploy additional malware while leveraging the inherent trust developers place in widely used package ecosystems.
This report presents our investigation into eleven highly suspicious npm packages targeting cryptocurrency and Web3 development environments. The investigation originated from the discovery of ethers-jss and coinbase-wallet-utils, two packages impersonating legitimate blockchain development tools. Further analysis expanded the scope of the investigation and revealed additional malicious packages, including Moralis-sMdk, Ganach, Solidty, hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, ethereum-dev-utils, and stelar-sdk.
Across the identified packages, researchers observed multiple attack techniques including npm lifecycle hook abuse, credential harvesting, wallet interception, secret discovery, blockchain-based command-and-control infrastructure, remote payload delivery, and cross-platform malware execution. The diversity of techniques demonstrates a mature understanding of developer workflows and highlights the growing focus of threat actors on cryptocurrency-related environments where successful compromise can result in direct financial gain.
The objective of this report is to provide a detailed technical analysis of the identified packages, document observed attack chains, examine infrastructure and behavioural overlaps, assess potential impact, and provide recommendations to help organizations defend against emerging software supply chain threats targeting blockchain development ecosystems.
During the investigation, we identified eleven highly suspicious npm packages targeting cryptocurrency developers and Web3 ecosystems. While the packages utilized different infection chains and operational techniques, they shared a common objective of compromising developer environments, harvesting sensitive credentials, and facilitating further malicious activity.
Collectively, the identified packages recorded more than 2.72 million downloads, highlighting the potential scale and impact of the campaign.
| Package | Type | Infection Method | Objective | Total Downloads |
| ethers-jss | Trojanized wrapper | preinstall | Wallet theft | 311 |
| coinbase-wallet-utils | Info stealer | postinstall | Recon + exfiltration | 185 |
| moralis-sdk | Downloader | postinstall | Payload delivery | 2,717,472 |
| Ganach | Typosquat loader | postinstall | Malware deployment | 162 |
| Solidty | Typosquat loader | postinstall | Malware deployment | 2,997 |
| Stelar-sdk | Typosquat loader | postinstall | Malware deployment | 3,038 |
| hardhat-deploy-utils | Web3 credential harvester | postinstall | Wallet theft | 489 |
| web3-deploy-helper | Web3 credential harvester | postinstall | Wallet theft | 467 |
| defi-sdk-core | Web3 credential harvester | postinstall | Wallet theft | 440 |
| ethers-compat | Web3 credential harvester | postinstall | Wallet theft | 421 |
| ethereum-dev-utils | Web3 credential harvester | postinstall | Wallet theft | 419 |
The first cluster identified during the investigation consists of two malicious npm packages, ethers-jss and coinbase-wallet-utils, both designed to impersonate legitimate cryptocurrency development utilities and target Web3 developers.
Analysis of package metadata revealed that both packages were published on 9 May 2026 by the same maintainer account, sazuki, strongly suggesting a coordinated operation. The shared publication timeline, cryptocurrency-focused branding, and similar targeting objectives indicate that the packages were likely developed and deployed as part of the same supply chain campaign.
The ethers-jss package was presented as a legitimate Ethereum wallet and utility library. Its description, “Complete Ethereum wallet implementation and utilities in JavaScript,” closely resembles authentic Ethereum development tools and was designed to blend into the broader Ethereum ecosystem. The package leveraged trusted blockchain-related keywords including Ethereum, ethers, wallet, web3, and defi to increase visibility and establish credibility among developers. Additionally, the package declared a dependency on the legitimate ethers library version 6.13.1, further reinforcing the appearance of legitimacy.
Similarly, coinbase-wallet-utils was advertised as a utility library intended to simplify Coinbase wallet integration within blockchain applications. The package description, “Coinbase wallet integration utilities,” was intentionally generic yet convincing, allowing it to masquerade as a legitimate helper library for cryptocurrency developers. Unlike a genuine wallet integration package, however, the package contained no meaningful functionality and had an unusually small, unpacked size of only 753 bytes, a characteristic often observed in malicious packages whose primary purpose is payload execution rather than feature delivery.
The naming conventions of both packages closely mirrored trusted cryptocurrency projects and appear to have been deliberately selected to exploit developer trust. By leveraging recognizable blockchain brands and commonly searched Web3 terminology, the threat actor increased the likelihood of accidental installation by developers seeking legitimate cryptocurrency-related dependencies.
Despite their relatively recent publication, both packages continued to receive installations during the investigation period.
At the time of analysis, coinbase-wallet-utils recorded approximately 63 weekly downloads, which increased to 66 weekly downloads during subsequent monitoring.
Overall package statistics showed approximately 185 total downloads at the time of writing, indicating that installations continued even after initial discovery.
Similarly, ethers-jss recorded approximately 64 weekly downloads, increasing to 67 weekly downloads during follow-up monitoring.
Total download statistics showed approximately 311 installations, demonstrating continued adoption despite the package’s malicious functionality.
Although the overall download volume remained modest compared to legitimate npm packages, the observed increase in installations during the monitoring period confirms that the campaign remained active and continued to reach new victims. Given the cryptocurrency-themed branding of both packages, the primary targets were likely blockchain developers, Web3 projects, and users searching for Ethereum and Coinbase-wallet-related development utilities.
Analysis of both packages revealed abuse of npm lifecycle hooks to achieve automatic code execution during package installation.
The coinbase-wallet-utils package utilized a postinstall script configured to execute malicious code immediately after package installation. Examination of the package contents revealed only two files, package.json and index.js, an unusually minimal structure that is inconsistent with legitimate wallet integration libraries and strongly indicative of a malicious package designed solely for payload execution.
The ethers-jss package employed a more stealthy approach through abuse of the preinstall lifecycle hook. By executing prior to installation completion, the package ensured that malicious code could run before users had an opportunity to review installed contents or identify suspicious behaviour.
By leveraging npm’s trusted lifecycle mechanisms, both packages transformed the installation process itself into an initial access vector. This technique enabled malware execution without requiring users to directly run package functionality, significantly increasing the effectiveness of the attack while reducing opportunities for detection.
The package contains only two files:
• index.js
This unusually small package size immediately raises suspicion because legitimate Coinbase integration libraries typically contain multiple modules, documentation, examples, and supporting functionality.
The minimal structure indicates that the package was created solely to execute malicious code rather than provide legitimate wallet integration capabilities.
Analysis of the package.json file revealed the presence of a postinstall execution mechanism configured to automatically run node index.js immediately after package installation. This behaviour is highly suspicious, as malicious npm packages frequently abuse postinstall scripts to achieve automatic code execution on victim systems without requiring additional user interaction.
Analysis of the index.js file revealed clear malicious behaviour associated with environment reconnaissance and data exfiltration. The script collects sensitive host information, including the system hostname, current username, environment variables, working directory, and execution timestamp, before transmitting the collected data to an external command-and-control (C2) endpoint.
The malware leverages Node.js modules such as os and child_process to gather system-level information and execute external commands. Notably, the script abuses the curl utility through execSync() to silently exfiltrate collected data to a remote server:
File Structure:
The extracted file structure of the ethers-jss package revealed the presence of three files:
Notably, the inclusion of a Python script named docker_hunter.py inside a supposedly Ethereum utility-focused npm package is highly suspicious and inconsistent with the package’s claimed functionality. The presence of cross-language tooling within a minimal npm package strongly suggests the package may contain auxiliary reconnaissance, container discovery, credential harvesting, or environment-targeting capabilities.
Additionally, the package structure remains unusually small and heavily execution-oriented, with index.js likely serving as the primary JavaScript loader while the embedded Python component may be used for secondary-stage operations or Docker environment targeting. Such behaviour aligns with tactics commonly observed in malicious npm supply chain campaigns targeting developers, CI/CD pipelines, and cloud-native environments.
Analysis of the package.json file for the ethers-jss package revealed the abuse of a preinstall execution mechanism designed to trigger code execution automatically before the package installation process completes.
The package leverages the preinstall lifecycle hook to silently execute index.js using child_process.execSync() during installation. This technique is commonly abused by malicious npm packages to achieve automatic execution on victim systems without requiring the developer to manually run the package.
Several indicators further strengthen the malicious assessment:
Overall, the package demonstrates classic npm supply chain attack behaviour through automated pre-install execution, deceptive branding, and stealth-focused process execution mechanisms targeting cryptocurrency and blockchain development environments.
Analysis of the index.js file revealed that the package operates as a malicious wrapper around the legitimate ethers library. The malware is designed to harvest sensitive cryptocurrency-related secrets, developer environment variables, SSH credentials, and wallet private keys before exfiltrating the collected data to attacker-controlled infrastructure.
The script heavily targets blockchain developers, Web3 projects, CI/CD environments, and cryptocurrency deployment systems by searching for wallet secrets, mnemonic phrases, API tokens, and infrastructure credentials commonly used in decentralized application development.
The malware contains hardcoded attacker-controlled infrastructure used for data exfiltration operations.
The usage of GitHub Codespaces infrastructure as a C2 endpoint suggests the threat actor attempted to abuse trusted developer-oriented platforms to reduce suspicion and bypass security filtering.
The malware initializes a LootCollector class responsible for collecting host-level system information from infected environments.
Collected reconnaissance data includes:
This information enables the threat actor to profile infected developer systems and identify high-value targets.
The malware scans all environment variables for cryptocurrency-related secrets and cloud authentication credentials.
Targeted keywords include:
This behavior strongly indicates credential theft operations targeting blockchain infrastructure, deployment pipelines, and developer accounts.
The malware further searches for sensitive configuration and secret storage files commonly used in blockchain development environments.
Targeted files include:
This allows the attacker to steal embedded secrets, wallet credentials, RPC keys, and deployment configurations.
The malware explicitly scans the victim’s .ssh directory to locate and steal SSH private keys.
Successful theft of SSH keys could enable unauthorized access to:
One of the most critical behaviours observed is the malicious interception of legitimate ethers wallet functions.
The malware hooks:
realEthers.Wallet.createRandom
Whenever a new wallet is generated or restored using a mnemonic phrase, the malware captures:
The stolen wallet data is then exfiltrated to the attacker-controlled server.
This functionality directly enables cryptocurrency theft and unauthorized wallet access.
The malware implements delayed execution using a randomized setTimeout() function before initiating reconnaissance and credential theft operations.
This delayed execution mechanism likely serves as an evasion technique intended to bypass automated sandbox analysis and reduce immediate behavioural indicators during package installation.
Once triggered, the malware performs multiple credential harvesting operations, including:
The malware specifically checks whether any sensitive environment variables or SSH keys were successfully collected before initiating exfiltration.
If sensitive data is identified, the collected information is packaged and prepared for transmission to attacker-controlled infrastructure through dedicated exfiltration endpoints such as:
This staged execution flow demonstrates a structured data theft operation specifically targeting developer secrets, blockchain credentials, and infrastructure access keys.
The malware uses native Node.js HTTPS functionality to covertly transmit stolen information to the remote command-and-control (C2) server.
The exfiltration routine serializes the collected victim data into JSON format and sends it via HTTPS POST requests to attacker-controlled endpoints.
Overall, the exfiltration workflow confirms that the package was intentionally engineered as an information-stealing implant targeting cryptocurrency developers and Web3 infrastructure environments.
The docker_hunter.py script performs basic OSINT-style enumeration of Docker Hub repositories using search queries related to blockchain and crypto tools. It only retrieves publicly available repository metadata and does not access or extract sensitive information.
However, the script could be modified in future versions to add more advanced or potentially malicious capabilities depending on how it is extended.
During continued threat hunting, researchers identified a malicious package named moralis-sdk.
The package closely mimics the legitimate Moralis SDK project and contains:
• Legitimate examples
• Legitimate project files
• Copied README content
This approach significantly increases credibility and reduces suspicion.
Key Finding: The malicious functionality is isolated to postinstall.js. Analysis of the remaining package contents indicates they are largely identical to the legitimate Moralis SDK source code, examples, and supporting files, suggesting they were copied from the original Moralis project to create the appearance of authenticity. The threat actor modified the root package.json to execute postinstall.js during installation and retained the legitimate project structure, documentation, and examples to reduce suspicion. Notably, the package’s README.md was copied verbatim from the original Moralis SDK, further reinforcing the illusion that the package is a genuine release. This approach allows the malicious package to closely resemble the legitimate project while ensuring the attacker’s code is executed automatically through the npm post-install lifecycle hook.
The moralis-sdk package contained two published versions. Version 1.0.0 was released on 28 Oct 2025 and appeared to be a clean copy of the legitimate project without malicious functionality. Approximately 13 days later, a new version, 1.0.1, was published on 11 Nov 2025 and introduced the malicious post-install code. This progression suggests that the package was initially seeded as a benign-looking copy and subsequently weaponized through a follow-up update.
One of the most concerning aspects of this package is its widespread adoption within the npm ecosystem. At the time of analysis, moralis-sdk had accumulated more than 2.7 million downloads, indicating substantial exposure across developer and enterprise environments.
The exceptionally high download volume significantly amplifies the potential impact of the campaign, as even a small percentage of successful installations could translate into a large number of compromised systems. Given the package’s ability to execute malicious code during installation, the scale of adoption highlights the potential reach of the threat actor’s operation and underscores the risks associated with malicious modifications to widely distributed open-source packages.
The malicious functionality resides entirely within postinstall.js.
The file contains approximately 18.9 KB of heavily obfuscated JavaScript designed to:
• Avoid detection
• Conceal functionality
Upon expanding the script, the code was found to be heavily obfuscated, making it difficult to interpret through manual review and concealing its underlying functionality from both researchers and automated security tools.
By applying a multi-stage Python-based deobfuscation process to the JavaScript code, we were able to successfully recover the underlying script and reveal the actual malicious functionality hidden beneath the obfuscation layers.
The package displays a banner containing Moralis SDK branding, setup instructions, and links to documentation and community resources. The banner itself does not perform any malicious actions and primarily serves as an onboarding message. Its inclusion appears intended to reinforce the appearance of a legitimate software package by presenting users with familiar branding, developer guidance, and official-looking resources. This contributes to the overall credibility of the package and may reduce the likelihood of users scrutinizing the installation process, while the actual malicious behavior is executed separately through the postinstall.js script.
The shouldRunPayload() function implements a remote activation check by retrieving the contents of a predefined YouTube video page and verifying the presence of a hardcoded marker string. The result of this check determines whether subsequent malicious functionality is executed. This design provides the threat actor with an external control mechanism, enabling payload activation, deactivation, or campaign management through modifications to remotely hosted content. The use of a legitimate web service also helps blend malicious network traffic with normal web activity and complicates detection efforts.
The malware launches a PowerShell process using the -EncodedCommand argument to conceal the underlying script from casual inspection. The embedded PowerShell code contains a Base64-encoded URL, which is decoded at runtime to retrieve additional content from a remote source. The downloaded content is subsequently Base64-decoded to recover a second-stage PowerShell payload, which is then executed in memory via Invoke-Expression. This multi-stage approach obscures the final payload, reduces static visibility of malicious content within the npm package, and enables the threat actor to modify the delivered payload remotely without publishing a new package version. By relying on PowerShell and in-memory execution, the malware minimizes on-disk artifacts and leverages trusted system utilities to perform its activities.
Decoding the embedded Base64 string revealed the URL https://pastefy.app/RhPBKGli/raw. Further analysis showed that the content hosted at this location was also Base64-encoded, indicating an additional layer of obfuscation intended to conceal the next stage of the infection chain and hinder straightforward analysis.
Upon decoding the Base64-encoded content, we recovered the underlying malware execution logic and downloader functionality. The decoded script consisted of a PowerShell-based downloader that retrieves an additional payload from another Base64-encoded URL, saves it as report_logs.bat within the system’s temporary directory, and subsequently executes it silently via cmd.exe. The execution process leverages hidden process parameters to minimize user visibility, after which the batch file is automatically deleted to reduce forensic artifacts and hinder post-compromise investigation.
Decoding the embedded Base64-encoded URL revealed a GitHub-hosted resource serving a batch file named crypted_307378.bat. This file represented the next stage of the infection chain and was intended to be downloaded and executed by the PowerShell downloader, allowing the threat actor to deliver additional payloads remotely without modifying the original npm package.
At the time of analysis, the GitHub-hosted URL was no longer accessible, preventing retrieval of the final-stage payload. This could indicate that the resource was removed, taken down, or intentionally made unavailable by the threat actor. Given that the npm package functions primarily as a downloader, the attacker retains the ability to modify, replace, or rotate downstream payloads at any time without updating the package itself. This architecture provides significant operational flexibility, allowing the same npm package to deliver different malware families, conduct multiple campaigns, or selectively activate malicious functionality based on the threat actor’s objectives.
As part of the ongoing investigation, we identified three additional typosquatting npm packages that have remained active within the npm ecosystem for nearly two years:
These packages closely mimic the names of widely used blockchain development tools and libraries, suggesting a deliberate attempt to exploit developer trust and typographical errors during package installation. Their long-term availability highlights the persistent nature of software supply chain threats and demonstrates how malicious packages can remain undetected within open-source repositories for extended periods while continuing to expose developers and organizations to potential compromise.
Analysis of the three typosquatting packages revealed that the associated publisher accounts did not appear to use legitimate or identifiable names. Instead, the maintainer profiles consisted of seemingly random combinations of letters and numbers, a pattern frequently observed in malicious npm campaigns where threat actors create disposable accounts to avoid attribution and facilitate large-scale package publication.
Additionally, all three packages contained postinstall lifecycle scripts configured to execute Node.js files with randomly generated names following a {random}.cjs naming pattern. The consistent use of obfuscated loaders, randomized file naming conventions, and nearly identical installation mechanisms across multiple packages suggests a common development framework or automated package generation process. These similarities indicate that the campaign was likely operated at scale, enabling the threat actor to rapidly create and deploy multiple malicious packages while maintaining a consistent infection workflow.
Analysis of the malicious scripts revealed extensive code obfuscation designed to conceal their true functionality and hinder reverse engineering efforts. The multiple layers of obfuscation significantly complicated static analysis, making it difficult to identify the underlying execution flow, payload delivery mechanisms, and malicious behaviour. Such techniques are commonly employed by threat actors to evade security detection, delay analysis, and increase the effort required to fully understand the malware’s capabilities.
To facilitate further analysis, we developed and utilized a Python-based deobfuscation workflow to process the heavily obfuscated JavaScript code. This approach successfully recovered the underlying script, allowing us to reveal the actual execution flow, infrastructure references, and malicious functionality concealed beneath the obfuscation layers.
Step 1 – Blockchain-based C2 Retrieval
The script initializes an Ethereum provider and interacts with a smart contract deployed on the Ethereum mainnet. It queries the contract using the getString() function to retrieve a value associated with a specific wallet address. The returned string is likely intended to provide dynamic configuration data, such as a command-and-control (C2) server address. Using a blockchain-hosted lookup mechanism can make infrastructure updates more resilient and harder to disrupt than hardcoded network indicators.
Step 2 – Payload Download and Platform Selection
The script contains functionality to download a remote file from a specified URL and save it locally using a streamed HTTP request. It identifies the host operating system (Windows, Linux, or macOS) and dynamically selects a platform-specific binary filename. This behaviour enables delivery of different executables depending on the victim environment, increasing compatibility across multiple operating systems. Such logic is commonly observed in downloaders or loaders that retrieve and execute additional components after initial deployment.
Step 3 – Payload Execution and Installation Workflow
The script retrieves a remote address from the Ethereum smart contract, constructs a platform-specific download URL, and downloads the corresponding binary to the system’s temporary directory. After download, it launches the binary as a detached background process using spawn() with detached: true and stdio: ‘ignore’, allowing execution independent of the parent process. The workflow automates the retrieval and execution of an externally hosted payload without requiring further user interaction. This behaviour is consistent with a downloader/loader pattern, where the primary script acts as a delivery mechanism for a secondary executable.
To further investigate the next stage of the infection chain, we developed a custom script to replicate the malware’s payload retrieval logic and attempted to download the platform-specific binaries referenced within the code. The script interacted with the blockchain-based infrastructure retrieval mechanism and successfully resolved the remote server address http://193[.]233[.]201[.]21:3001, which the malware used to construct payload download URLs.
Using the recovered infrastructure details, we performed controlled download attempts for all identified platform-specific payloads, including node-win.exe, node-linux, and node-macos. However, all requests failed with ECONNREFUSED errors, indicating that the remote service was not accepting connections at the time of analysis.
As a result, the secondary payloads could not be retrieved, preventing further examination of the final-stage malware. The observed behaviour suggests that the command-and-control infrastructure was either offline, intentionally disabled, or temporarily unavailable during the investigation, limiting our analysis to the downloader component and its associated delivery mechanisms.
The npm user ethcompat published five malicious packages—hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, and ethereum-dev-utils—masquerading as legitimate Ethereum and Web3 development utilities.
All five packages were published on 2 May 2026 and collectively accumulated 2,236 downloads. Notably, each package was released on the same date, indicating a coordinated publication campaign.
Analysis revealed that all five packages contain the same malicious postinstall.js script. The script is lightly obfuscated, making its functionality difficult to identify through a quick review while still allowing execution during the package installation process.
Step 1: Post-Installation Payload Execution
The postinstall.js script is automatically executed during package installation and serves as the primary malicious payload. Although only lightly obfuscated, the script is designed to obscure its functionality from developers performing a quick review while ensuring execution immediately after package installation.
Step 2: Credential Discovery and Collection
Upon execution, the script searches multiple locations for sensitive blockchain-related credentials, including .env files, Hardhat configuration files, and environment variables. The malware specifically targets Ethereum private keys, deployment keys, signing keys, wallet credentials, mnemonic phrases, seed phrases, and other cryptocurrency-related secrets commonly used in Web3 development environments.
Step 3: Data Aggregation and Encryption
The harvested credentials are consolidated into a structured data object and encrypted using the AES-256-GCM algorithm. The encryption key is derived from a hardcoded value using SHA-256, preventing the collected data from being easily inspected during transmission.
Step 4: On-Chain Data Exfiltration
Rather than relying on traditional command-and-control infrastructure, the malware embeds the encrypted credential data within the data field of an Ethereum transaction. The transaction is then directed to the attacker-controlled wallet address 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f, enabling credential exfiltration through public blockchain infrastructure.
Step 5: Abuse of Compromised Wallet Credentials
To transmit the exfiltration transaction, the malware attempts to use the first harvested Ethereum private key to create a wallet instance via the ethers or web3 library. As a result, the victim’s own wallet is used to sign and broadcast the transaction, causing the victim to bear the associated gas fees while simultaneously disclosing their sensitive credentials to the attacker.
During the investigation, we performed additional threat landscape analysis of the threat actor infrastructure, package metadata, source code artifacts, and associated developer accounts to identify potential attribution indicators and operational characteristics.
Analysis of the identified npm packages revealed that several publisher accounts utilized randomly generated usernames consisting of mixed alphanumeric characters, a pattern commonly observed in malicious software supply chain campaigns where disposable identities are created to reduce attribution and facilitate large-scale package publication. The use of non-descriptive maintainer profiles, combined with the absence of legitimate project history or community presence, suggests an intentional effort to conceal the operators’ identities.
Further examination of the malicious code and deobfuscated scripts uncovered multiple Russian-language comments, variable names, and string artifacts embedded within the codebase. While these artifacts do not provide definitive attribution, they indicate that the malware developers were either Russian-speaking or intentionally incorporated Russian-language elements during development. Similar indicators have frequently been observed in financially motivated cybercriminal operations targeting cryptocurrency ecosystems and developer environments.
The campaign demonstrated a relatively sophisticated operational model through the abuse of multiple trusted third-party services, including GitHub, Pastefy, YouTube, GitHub Codespaces, public blockchain infrastructure, and open Ethereum RPC providers. The adoption of legitimate cloud platforms and public services enables malicious activity to blend with normal developer workflows, reduces infrastructure costs, and complicates defensive monitoring efforts.
Of particular interest, the long-running typosquatting packages leveraged a blockchain-based infrastructure retrieval mechanism that dynamically obtained operational infrastructure from Ethereum smart contracts rather than relying on hardcoded server addresses. Separately, the newly identified ethcompat package cluster utilized Ethereum blockchain transactions as an exfiltration channel, embedding encrypted credential data within transaction payloads and transmitting it to an attacker-controlled wallet address. These techniques illustrate how threat actors are increasingly experimenting with decentralized infrastructure to improve resilience and reduce dependence on traditional attacker-controlled servers.
While traditional credential theft malware commonly relies on web-based APIs, cloud storage platforms, messaging services, or dedicated command-and-control infrastructure for data exfiltration, the observed campaign demonstrates the use of blockchain networks as an alternative mechanism for transmitting stolen information. Such approaches can complicate detection and response efforts because malicious activity is embedded within otherwise legitimate blockchain transactions and public infrastructure.
The combination of cryptocurrency-focused targeting, credential theft functionality, multi-stage malware delivery, blockchain-assisted infrastructure management, on-chain credential exfiltration, extensive code obfuscation, and Russian-language development artifacts suggests a financially motivated threat actor with experience in software supply chain operations and cryptocurrency-related cybercrime. While the available evidence remains insufficient to attribute the activity to a specific threat group, the observed tradecraft demonstrates a level of operational maturity beyond that typically observed in opportunistic npm malware campaigns.
The investigation uncovered a large-scale cryptocurrency-focused software supply chain campaign involving eleven malicious and highly suspicious npm packages targeting blockchain developers, Web3 projects, cryptocurrency infrastructure, and cloud-native development environments. Despite employing different infection chains, delivery mechanisms, and operational techniques, all identified packages shared a common objective: compromising developer environments, harvesting sensitive credentials, and enabling financially motivated malicious activity.
Technical analysis revealed a diverse set of malicious capabilities, including cryptocurrency wallet credential theft, mnemonic phrase harvesting, SSH key theft, environment variable collection, sensitive file discovery, multi-stage malware delivery, blockchain-based infrastructure retrieval, remote payload execution, and encrypted on-chain data exfiltration. Several packages specifically target secrets commonly found within Web3 development environments, including private keys, wallet credentials, deployment keys, cloud authentication tokens, API keys, and CI/CD secrets.
Of particular concern was the discovery of the trojanized moralis-sdk package, which accumulated more than 2.7 million downloads, dramatically increasing the potential reach of the campaign. Additional investigation identified multiple malicious packages masquerading as Ethereum and Web3 development utilities, including a coordinated cluster published by the npm user ethcompat that leveraged malicious post-installation scripts to harvest cryptocurrency credentials and exfiltrate stolen data through Ethereum blockchain transactions. Combined with the additional packages identified during the investigation, the overall exposure exceeded 2.72 million downloads, highlighting the scale at which malicious dependencies can proliferate within trusted software ecosystems.
The findings demonstrate how threat actors continue to weaponize open-source repositories to compromise developers, steal cryptocurrency-related assets and credentials, and gain access to high-value development infrastructure. The increasing use of sophisticated evasion techniques, trusted third-party services, decentralized infrastructure, blockchain-assisted operations, and alternative exfiltration channels illustrate the evolving threat landscape facing modern software supply chains and the growing risks confronting the Web3 development ecosystem.
| Tactic | Technique ID | Technique Name | Application |
| Initial Access | T1195.002 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Trojanized npm packages delivered through npm registry |
| Execution | T1204.002 | User Execution: Malicious File | Installation of malicious npm package triggers lifecycle hooks |
| Stealth | T1036.005 | Masquerading: Match Legitimate Name or Location | Typosquatting packages Ganach, Solidty, Stelar-sdk, ethers-jss, coinbase-wallet-utils |
| Discovery | T1087 | Account Discovery | Collection of username and account information |
| Discovery | T1518 | Software Discovery | Identification of development environments and blockchain tooling |
| Collection | T1213 | Data from Information Repositories | Collection of configuration files, secrets.json, hardhat.config.js, foundry.toml |
| Collection | T1552 | Unsecured Credentials | Harvesting secrets from environment variables and config files |
| Credential Access | T1528 | Steal Application Access Token | Theft of NPM_TOKEN, GITHUB_TOKEN, AWS keys, Infura keys, Alchemy keys |
| Command and Control | T1583.001 | Acquire Infrastructure: Domains | GitHub Codespaces and attacker infrastructure |
| Command and Control | T1583.006 | Acquire Infrastructure: Web Services | YouTube, Pastefy, GitHub, npm |
| Impact | T1586.001 | Compromise Accounts | Stolen SSH keys and cloud credentials can enable account compromise |
| No | Indicators of Compromise (IOCs) | Type | Remarks |
| 1. | 53b91117db931d3acbbfd15aa8400bb6691e023d | SHA1 | ethers-jss package archive |
| 2. | d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44 | SHA256 | ethers-jss package archive |
| 3. | 63154cd9c79f9d14eb9be6c4efc2a778d31646ec | SHA1 | coinbase-wallet-utils package archive |
| 4. | 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b | SHA256 | coinbase-wallet-utils package archive |
| 5. | 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7 | SHA1 | moralis-sdk v1.0.1 package archive |
| 6. | 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26 | SHA256 | moralis-sdk v1.0.1 package archive |
| 7. | fcc8a542aad41e758cf6c18571048890be53808e | SHA1 | ganach package archive |
| 8. | 7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda | SHA256 | ganach package archive |
| 9. | 70842cfc27b116d0db2fd7aa33d53a3faf510993 | SHA1 | solidty package archive |
| 10. | e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab | SHA256 | solidty package archive |
| 11. | e1bdcd1a7157f7d047a88ab4573723fe1e861951 | SHA1 | stelar-sdk package archive |
| 12. | 2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49 | SHA256 | stelar-sdk package archive |
| 13. | pastefy.app/RhPBKGli/raw | Payload Hosting URL | Base64-encoded PowerShell payload hosting location |
| 14. | 193[.]233[.]201[.]21:3001 | C2 Infrastructure | Remote payload distribution server retrieved through blockchain mechanism |
| 15. | 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b | Ethereum Smart Contract | Used by malware to retrieve dynamic infrastructure information |
| 16. | 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 | Ethereum Wallet Address | Queried by the smart contract lookup mechanism to obtain C2 configuration |
| 17. | 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f | Ethereum Wallet Address | To transmit the exfiltration transaction |
| 18. | d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88 | SHA256 | hardhat-deploy-utils package archive |
| 19. | bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f | SHA256 | web3-deploy-helper package archive |
| 20. | d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666 | SHA256 | defi-sdk-core package archive |
| 21. | 5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05 | SHA256 | ethers-compat package archive |
| 22. | feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86 | SHA256 | ethereum-dev-utils package archive |
rule NPM_Crypto_SupplyChain_IOCs
{
meta:
description = “Detects cryptocurrency-focused malicious npm packages and associated infrastructure”
author = “Cyfirma Research”
date = “2026-06-04”
strings:
/* Infrastructure */
$url1 = “pastefy.app/RhPBKGli/raw” ascii wide
$ip1 = “193.233.201.21” ascii wide
/* Blockchain Infrastructure */
$eth_addr1 = “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b”
$eth_addr2 = “0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84”
$eth_addr3 = “0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f”
/* SHA1 */
$sha1_1 = “53b91117db931d3acbbfd15aa8400bb6691e023d”
$sha1_2 = “63154cd9c79f9d14eb9be6c4efc2a778d31646ec”
$sha1_3 = “74d3d5ab6d0fa4c6a5860598231728a6a893ecf7”
$sha1_4 = “fcc8a542aad41e758cf6c18571048890be53808e”
$sha1_5 = “70842cfc27b116d0db2fd7aa33d53a3faf510993”
$sha1_6 = “e1bdcd1a7157f7d047a88ab4573723fe1e861951”
/* SHA256 */
$sha256_1 = “d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44”
$sha256_2 = “6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b”
$sha256_3 = “17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26”
$sha256_4 = “7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda”
$sha256_5 = “e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab”
$sha256_6 = “2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49”
$sha256_7 = “d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88”
$sha256_8 = “d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666”
$sha256_9 = “bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f”
$sha256_10 = “5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05”
$sha256_11 = “feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86”
condition:
any of ($sha1_*) or any of ($sha256_*) or
$url1 or $ip1 or any of ($eth_addr*)
}
To mitigate the risk posed by malicious npm packages and similar software supply chain attacks targeting blockchain development environments, organizations and developers should implement the following security measures:
The continued weaponization of open-source ecosystems demonstrates that package repositories remain a high-value target for threat actors. Organizations operating within cryptocurrency and Web3 environments should treat third-party dependencies as a critical attack surface and implement rigorous controls to reduce exposure to software supply chain threats.
