A sophisticated cryptocurrency theft campaign has emerged on the npm package registry, targeting developers and cryptocurrency users through malicious packages designed to drain Ethereum and Binance Smart Chain wallets. This attack leverages heavily obfuscated JavaScript code to steal up to 85% of victims’ cryptocurrency holdings, highlighting the evolving threat landscape where software supply chain attacks increasingly target digital assets.
The Malicious Campaign
The campaign centers around four npm packages published by a threat actor operating under the username @crypto-exploit, who registered using the email address [email protected] from a Russian webmail service. These packages collectively amassed over 2,100 downloads before being identified and reported as malware, with the most successful package, `env-process`, accounting for 1,054 downloads.
The malicious packages masqueraded as legitimate cryptocurrency development tools, with names like `pancake_uniswap_validators_utils_snipe`, `pancakeswap-oracle-prediction`, `ethereum-smart-contract`, and `env-process`. These names were strategically chosen to attract developers working with decentralized finance (DeFi) protocols and blockchain applications.
Attack Methodology
The attack relies on victims inadvertently installing these packages and storing their private cryptocurrency wallet keys as environment variables, a common practice in development environments. Once executed, the malicious code accesses these credentials and initiates unauthorized transactions to a hardcoded wallet address: 0x71448ec2D9c5fC4978F5A690D5CE11A8669C9D02.
Blockchain analysis reveals that this address received multiple transactions totaling approximately $450 worth of Ethereum during the campaign’s active period between 2021 and 2022.
Advanced Obfuscation Techniques
A striking aspect of this malware campaign is its sophisticated use of JavaScript obfuscation to evade detection and analysis. The threat actor employed hex-encoded string arrays to conceal the true nature of their code, making initial inspection extremely difficult for both automated scanning tools and human reviewers.
For example, in the `pancake_uniswap_validators_utils_snipe` package, critical variables were encoded as hexadecimal values. The array `var _0x450b = [\x77\x65\x62\x33, \x53\x57\x41\x50, \x65\x6E\x76…]` translates to common JavaScript terms like “web3”, “SWAP”, and “env” when decoded. This technique effectively hides function calls such as `require(web3)` and `process.env` from casual inspection.
The deobfuscated code reveals the malware’s core functionality: connecting to either Ethereum or Binance Smart Chain networks based on environment variables, retrieving the victim’s wallet balance, and constructing a transaction to transfer 80-85% of the funds. The transaction logic follows this pattern: `value: web3.utils.toWei((fbb 80 / 100).toString(), ether)`, where `fbb` represents the victim’s current balance.
Notably, the threat actor deliberately avoids draining wallets completely, leaving 15-20% of funds untouched. This calculated approach serves dual purposes: maintaining sufficient balance for transaction fees and reducing the likelihood of immediate detection by victims who might not notice partial fund transfers.
Broader Implications and Related Incidents
This incident is part of a broader trend of supply chain attacks targeting the cryptocurrency ecosystem. In January 2025, researchers discovered 20 malicious npm packages impersonating the Hardhat development environment used by Ethereum developers. These packages were designed to harvest private keys and other sensitive data, collectively recording over a thousand downloads. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/malicious-npm-packages-target-ethereum-developers-private-keys/?utm_source=openai))
Similarly, in March 2025, multiple npm cryptocurrency packages were hijacked and altered to steal sensitive information such as environment variables from target victims. Some of these packages had been on npmjs.com for over nine years, providing legitimate functionality to blockchain developers before being compromised. ([sonatype.com](https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers?utm_source=openai))
Another notable case involved malicious npm packages that modified the local ‘ethers’ library to launch reverse shell attacks. These packages, identified as `ethers-provider2` and `ethers-providerz`, infected the legitimate `ethers` package installed locally, creating a backdoor for attackers. ([thehackernews.com](https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html?utm_source=openai))
Recommendations for Developers
Given the increasing sophistication of these attacks, developers are urged to exercise heightened vigilance when incorporating third-party packages into their projects. Best practices include:
– Verify Package Authenticity: Always confirm the legitimacy of packages by checking the publisher’s credentials and reviewing the package’s history and user feedback.
– Regularly Audit Dependencies: Conduct periodic audits of all project dependencies to identify and remove any that are unnecessary or potentially compromised.
– Implement Security Tools: Utilize automated tools designed to detect malicious code and vulnerabilities within dependencies.
– Monitor for Unusual Activity: Keep an eye on project repositories and development environments for unexpected changes or behaviors that could indicate a security breach.
By adopting these practices, developers can significantly reduce the risk of falling victim to supply chain attacks and protect both their projects and users from potential harm.
