CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Malicious npm packages impersonating Flashbots steal Ethereum wallet keys

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Four malicious npm packages impersonating Flashbots infrastructure and cryptographic utilities have been discovered. These packages, uploaded by a user named 'flashbotts,' steal Ethereum wallet credentials from developers. The packages exfiltrate private keys and mnemonic seeds to a Telegram bot controlled by the threat actor. The earliest upload dates back to September 2023, with the most recent upload on August 19, 2025. The packages remain available for download. The packages include @flashbotts/ethers-provider-bundle, flashbot-sdk-eth, sdk-ethers, and gram-utilz. The most dangerous package, @flashbotts/ethers-provider-bundle, redirects unsigned transactions to an attacker-controlled wallet and logs metadata from pre-signed transactions. The threat actor likely speaks Vietnamese, as indicated by comments in the source code.

Timeline

  1. 06.09.2025 09:42 1 articles · 23d ago

    Malicious npm packages impersonating Flashbots steal Ethereum wallet keys

    Four malicious npm packages have been discovered that impersonate Flashbots infrastructure and cryptographic utilities. These packages, uploaded by a user named 'flashbotts,' steal Ethereum wallet credentials by exfiltrating private keys and mnemonic seeds to a Telegram bot. The earliest upload dates back to September 2023, with the most recent upload on August 19, 2025. The packages remain available for download.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious npm package 'fezbox' uses QR codes to deliver cookie-stealing malware

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

Open in new tab

Supply Chain Attack Targets npm Packages with Over 2.6 Billion Weekly Downloads

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The attack impacted roughly 10% of all cloud environments, but the attackers made little profit. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.

Open in new tab

Malicious nx Packages Exfiltrate Credentials in 's1ngularity' Supply Chain Attack

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success.

Open in new tab