In a recent cybersecurity incident, researchers have identified a malicious npm package, @kodane/patch-manager, which was crafted using artificial intelligence (AI) and designed to drain cryptocurrency wallets. This package, uploaded to the npm registry on July 28, 2025, by a user named Kodane, claimed to offer advanced license validation and registry optimization utilities for high-performance Node.js applications. Before its removal, it had been downloaded over 1,500 times.
The security firm Safety discovered that the package contained a post-installation script that deployed its payload across Windows, Linux, and macOS systems. This script connected to a command-and-control (C2) server at sweeper-monitor-production.up.railway[.]app, generating a unique machine ID for each compromised host and transmitting it to the C2 server. The malware then scanned the system for cryptocurrency wallet files and, if found, transferred all funds to a hard-coded Solana blockchain address.
Notably, the package exhibited characteristics suggesting it was generated using Anthropic’s Claude AI chatbot. Indicators included the use of emojis, extensive JavaScript console logging, well-written comments, and a README.md file consistent with Claude-generated markdown styles. This incident underscores the evolving threat landscape, where AI is being leveraged to create more sophisticated and convincing malware, posing significant challenges to software supply chain security.
