"A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. "The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor," Socket researcher Kush Pandya said in an analysis."
"The most dangerous of the identified libraries is "@flashbotts/ethers-provider-bundle," which uses its functional cover to conceal the malicious operations. Under the guise of offering full Flashbots API compatibility, the package incorporates stealthy functionality to exfiltrate environment variables over SMTP using Mailtrap. In addition, the npm package implements a transaction manipulation function to redirect all unsigned transactions to an attacker-controlled wallet address and log metadata from pre-signed transactions."
Four malicious npm packages impersonating cryptographic utilities and Flashbots MEV tooling target Ethereum developers and can steal wallet credentials. The packages were uploaded by a user named "flashbotts" between September 2023 and August 19, 2025 and remain available for download. The most dangerous package, @flashbotts/ethers-provider-bundle, exfiltrates environment variables via SMTP using Mailtrap and redirects unsigned transactions to an attacker-controlled wallet while logging pre-signed transaction metadata. Other packages include functions that transmit mnemonic seed phrases to a Telegram bot when invoked and a modular mechanism for exfiltrating arbitrary data to the threat actor’s Telegram chat.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]