Ddos 
Socket’s Threat Research Team has uncovered two malicious npm packages designed to steal cryptocurrency credentials and trading data—pumptoolforvolumeandcomment and its wrapper debugdogs. Both were published by a threat actor using the alias olumideyo, with exfiltration of stolen data carried out via a Telegram bot in real time.
“The loader in pumptoolforvolumeandcomment decodes an obfuscated payload that hunts for Base58-encoded cryptocurrency keys, wallet files, and ‘BullX’ trading data… then exfiltrates sensitive data via a Telegram bot,” Socket warns.
The attack focused on BullX, a popular platform among crypto traders for fast access to newly launched coins. Socket researchers confirmed that the malware explicitly scans for files related to “BullX”, harvesting anything that matches the string and ends in .txt.
At the main of pumptoolforvolumeandcomment is a base64-obfuscated script hidden in parts.txt. Once decoded and executed by the index.js loader, it begins an aggressive search across Linux and macOS file systems for credentials, using regular expressions that match Base58-encoded strings, a format common in wallet seed phrases and private keys.
Key actions include:
- Scanning for sensitive files in ~/Documents, /Volumes, /media
- Searching for strings in .txt, .env, .log, .ini, .cfg, and .docs files
- Assembling all findings into a structured JSON file (fss.json)
- Sending the stolen data via a Telegram bot using the attacker’s token and chat ID
The stolen data is transmitted using the Telegram Bot API, allowing the attacker to receive credentials instantly and operate anonymously across borders. This real-time exfiltration model offers both speed and stealth, making it ideal for targeting high-value crypto wallets.
To enhance reach, the attacker also published debugdogs, a wrapper package that does little more than require and execute pumptoolforvolumeandcomment.
“By pointing directly at pumptoolforvolumeandcomment, the author ensures that anyone installing debugdogs will automatically pull in and execute the real payload,” Socket noted.
This “npm wrapper” technique is increasingly common, designed to evade detection by security tools and unsuspecting developers.
“This attack highlights the urgent need for better scrutiny of npm packages in cryptocurrency and trading-related environments,” Socket concluded.
Related Posts:
- Malicious npm Packages Backdoor Telegram Bot Developers
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
- Malware on npm “Patches” Local Packages with Reverse Shell
- North Korean Cyberattacks Persist: Developers Targeted via npm
Donate