Malicious npm Packages Target Solana and Ethereum Developers in Supply Chain Attack A recent supply chain attack has compromised cryptocurrency developers by distributing five malicious npm packages that steal wallet private keys and exfiltrate them to a Telegram-based command-and-control (C2) server. The packages, published under the npm account galedonovan, impersonate legitimate crypto libraries to target both Solana and Ethereum ecosystems. The identified packages raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and the briefly published base_xd were designed to intercept private key operations. For Solana developers, the packages hijack Base58 decode() calls, while the Ethereum-focused ethersproject-wallet triggers malicious code within the Wallet constructor. In all cases, stolen keys are sent to a hardcoded Telegram bot (@Test20131_Bot) before legitimate operations complete, allowing attackers to drain compromised wallets. The attack leverages typosquatting and dependency confusion, with some packages (bs58-basic) containing no malicious code themselves but relying on base-x-64 to execute the theft. Obfuscation techniques, including array-rotation ciphers, were used to conceal the Telegram C2 endpoint, though one package (raydium-bs58) accidentally exposed the bot token and group invite URL in a comment. The campaign, active as of March 23, 2026, was discovered by Socket, which submitted takedown requests for the packages and the associated npm account. However, four of the five packages remained available in the registry at the time of analysis. The attack infrastructure relies solely on the Telegram bot, meaning exfiltration remains operational as long as the bot is active. Attribution artifacts such as shared typos in package.json, identical compiled binaries, and uniform file timestamps strongly suggest a single developer behind the campaign. The operator’s Telegram handle (@crypto_sol3) was linked to the bot’s administration group. The malicious packages exploit Node.js 18+ environments, failing silently on older versions due to a missing fetch() API dependency. Developers are advised to remove the affected packages and treat any exposed keys as compromised, though the summary strictly focuses on the incident’s details.

Malicious npm and PyPI packages were crafted to target Solana's ecosystem, with the intent to steal private keys and drain funds from victims' wallets. The operation involved typosquatting and names mimicking popular libraries, with the theft executed via Gmail SMTP servers to evade detection. Despite discovery and reporting, the malicious packages remained live at that time. Attackers rigged the packages to programmatically transfer the majority of wallet contents to their address, carefully leaving a small fraction to avoid raising immediate suspicion. Over 130 downloads were recorded for these packages, showcasing a targeted approach to siphon off Solana's assets via automated exfiltration.

Solana and Slope suffered from a data breach incident that affected Slope, a third-party wallet for Solana. The hardware wallets offered by Slope are still safe; the attack only affected the downloadable wallet program. The Solana Foundation noted that the Solana protocol itself is still secure despite the fact that thousands of wallets were drained. Customers should take action to protect their funds, the business further advised. It suggested that customers transfer their funds to a new wallet after creating a new seed phrase.