
Socket Threat Research Team has uncovered a new threat lurking within the JavaScript ecosystem: four malicious npm packages explicitly designed to exfiltrate cryptocurrency from unsuspecting developers’ wallets on the Binance Smart Chain (BSC) and Ethereum.
The four identified packages—pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-process—amassed over 2,100 downloads collectively, signaling real-world exposure before detection.
These packages, all created by an npm user named @crypto-exploit, contained obfuscated JavaScript designed to steal 80–85% of a target wallet’s balance by sending it to a hardcoded address: 0x71448ec2D9c5fC4978F5A690D5CE11A8669C9D02.
Socket’s report notes:
“The threat actor, aptly named @crypto-exploit, calculates a percent of the total target wallet and then attempts to transfer that amount to its own controlled wallet address.”
Socket outlined the campaign’s progression across four increasingly sophisticated attempts:
First Try: pancake_uniswap_validators_utils_snipe
Downloaded 350 times, this initial package impersonated token trading tools. Socket flagged it as malware and noted:
“pancake_uniswap_validators_utils_snipe was the threat actor’s first attempt to drain crypto wallets.”
The malicious code includes misleading console logs and uses a function named validateToken() to cloak its true purpose.
Second Try: pancakeswap-oracle-prediction
An improved version with 445 downloads, this package pretended to fetch “oracle statistics” while quietly stealing BSC wallet funds.
“This code pretends to collect oracle statistics… It has no logging, making it more stealthy.”
Third Try: ethereum-smart-contract
Here, the attacker introduced typosquatting—creating a package name that mimics the legitimate ethereum-smart-contracts.
It targeted Ethereum users and increased the theft amount to 85% of the wallet balance:
“This code calculates 85% of the wallet instead of 80%, increasing the amount that the threat actor steals.”
Perfected: env-process
The most refined version and the most downloaded with 1,054 downloads, env-process impersonated the legitimate Node.js process module:
“The threat actor wanted to typosquat this package in the hopes that cryptocurrency users would download it instead.”
Notably, all packages shared similar obfuscation methods using hexadecimal-encoded variables, environment variable dependencies, and the same malicious wallet address.
According to Socket, the wallet linked to the threat actor received multiple ETH deposits totaling nearly $450, followed by an outgoing transfer:
“The address was active around the time the packages were released… it is possible that the exploit worked.”
Socket reported all packages to npm, but the incident underscores a larger risk in the open-source software supply chain, especially for blockchain developers.
Related Posts:
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
- Inferno Drainer Steals Millions in Evolving Crypto Attacks
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Browser Wallet Flaws Allow Silent Crypto Drains Without User Interaction
- Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed