Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Flashbots-impersonating npm packages steal Ethereum wallet credentials

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Four malicious npm packages impersonating Flashbots tooling have been uncovered in the npm package registry, putting Ethereum developers at risk of wallet-key theft and transaction hijacking. The packages steal private keys and mnemonic seeds, and one variant can redirect unsigned transactions to an attacker-controlled wallet. They were uploaded from September 2023 through August 19, 2025 and remained available for download.

Related Happenings

Npm supply-chain worm that steals publishing tokens and self-propagates

Malware Activity
First: 22.04.2026 15:57 Last: 22.04.2026 15:57 Sources 1

About this happening: A **new npm supply-chain worm** is stealing **developer publishing tokens** and using them to **self-propagate** through republished packages, creating the risk of broader comprom...

Open Happening

DYdX npm and PyPI wallet stealer and RAT payloads

Malware Activity
First: 06.02.2026 10:40 Last: 06.02.2026 10:40 Sources 1

About this happening: The **dYdX npm and PyPI packages** now deliver a **wallet stealer** and **RAT** payload, creating immediate risk of **seed phrase theft** and host compromise. The npm variant siph...

Open Happening

Typosquatted npm packages delivering a PyInstaller infostealer

Malware Activity
First: 30.10.2025 01:16 Last: 30.10.2025 01:16 Sources 1

About this happening: **Ten malicious npm packages** impersonated popular libraries and delivered a **24 MB PyInstaller infostealer** to developers on **Windows, Linux, and macOS**. The packages used *...

Open Happening

Npm typosquatting campaign using fake CAPTCHA lures

Campaign
First: 30.10.2025 01:16 Last: 30.10.2025 01:16 Sources 1

About this happening: A **npm typosquatting campaign** used **fake CAPTCHA** lures and impersonating packages to deliver a **credential-stealing infostealer** to developers on **Windows, Linux, and mac...

Open Happening

BeaverTail and OtterCookie malware evolution in Contagious Interview

Malware Activity
First: 17.10.2025 16:33 Last: 17.10.2025 16:33 Sources 1

About this happening: **Contagious Interview** malware activity tied to **North Korean threat actors** continues to evolve its npm-based delivery chain. A recent wave added **197 malicious npm packages...

Open Happening

Timeline

  1. 06.09.2025 09:42 2 articles · 8mo ago

    Malicious npm packages impersonate Flashbots and steal Ethereum wallet keys

    Initial Disclosure

    Four malicious npm packages impersonating Flashbots tooling were discovered in the npm package registry and were found to steal Ethereum developers' private keys and mnemonic seeds, exfiltrate environment variables over SMTP using Mailtrap, send secrets to a Telegram bot, and redirect unsigned transactions to an attacker-controlled wallet.

    Show sources
    Open in new tab