Do Son 
Socket Threat Research Team has uncovered a new threat lurking within the JavaScript ecosystem: four malicious npm packages explicitly designed to exfiltrate cryptocurrency from unsuspecting developers’ wallets on the Binance Smart Chain (BSC) and Ethereum.
The four identified packagesβpancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-processβamassed over 2,100 downloads collectively, signaling real-world exposure before detection.
These packages, all created by an npm user named @crypto-exploit, contained obfuscated JavaScript designed to steal 80β85% of a target walletβs balance by sending it to a hardcoded address: 0x71448ec2D9c5fC4978F5A690D5CE11A8669C9D02.
Socketβs report notes:
βThe threat actor, aptly named @crypto-exploit, calculates a percent of the total target wallet and then attempts to transfer that amount to its own controlled wallet address.β
Socket outlined the campaignβs progression across four increasingly sophisticated attempts:
First Try: pancake_uniswap_validators_utils_snipe
Downloaded 350 times, this initial package impersonated token trading tools. Socket flagged it as malware and noted:
βpancake_uniswap_validators_utils_snipe was the threat actorβs first attempt to drain crypto wallets.β
The malicious code includes misleading console logs and uses a function named validateToken() to cloak its true purpose.
Second Try: pancakeswap-oracle-prediction
An improved version with 445 downloads, this package pretended to fetch βoracle statisticsβ while quietly stealing BSC wallet funds.
βThis code pretends to collect oracle statisticsβ¦ It has no logging, making it more stealthy.β
Third Try: ethereum-smart-contract
Here, the attacker introduced typosquattingβcreating a package name that mimics the legitimate ethereum-smart-contracts.
It targeted Ethereum users and increased the theft amount to 85% of the wallet balance:
βThis code calculates 85% of the wallet instead of 80%, increasing the amount that the threat actor steals.β
Perfected: env-process
The most refined version and the most downloaded with 1,054 downloads, env-process impersonated the legitimate Node.js process module:
βThe threat actor wanted to typosquat this package in the hopes that cryptocurrency users would download it instead.β
Notably, all packages shared similar obfuscation methods using hexadecimal-encoded variables, environment variable dependencies, and the same malicious wallet address.
According to Socket, the wallet linked to the threat actor received multiple ETH deposits totaling nearly $450, followed by an outgoing transfer:
βThe address was active around the time the packages were releasedβ¦ it is possible that the exploit worked.β
Socket reported all packages to npm, but the incident underscores a larger risk in the open-source software supply chain, especially for blockchain developers.
Related Posts:
- Solana Drainer Source Code Leak Reveals MS Drainer Connection, Underscores Growing Threat to Crypto Users
- Inferno Drainer Steals Millions in Evolving Crypto Attacks
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Browser Wallet Flaws Allow Silent Crypto Drains Without User Interaction
- Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
