- Researchers found a malicious npm package created using Artificial Intelligence.
- The package targeted cryptocurrency wallets and was downloaded over 1,500 times before removal.
- The Malware’s main function was to steal funds from Solana Blockchain wallets through an automated post-installation script.
- Evidence suggests the attacker used Anthropic’s Claude AI chatbot to generate the package code.
- Experts warn that AI-generated malicious packages make it harder for security teams to spot and stop threats.
Security researchers have identified a harmful npm package, named @kodane/patch-manager, that used artificial intelligence to help spread malware. The package, uploaded to npm by a user called “Kodane” on July 28, 2025, claimed to offer license validation and registry optimization tools for Node.js apps, but instead contained a cryptocurrency wallet drainer.
Before npm removed the package from its registry, it was downloaded more than 1,500 times. According to supply chain security firm Safety, the malware’s actions were listed directly in its source code, describing itself as an “enhanced stealth wallet drainer.” The harmful behavior started with a postinstall script—a script that automatically runs after package installation—which hid its payload in secret directories on Windows, Linux, and macOS computers.
The script then connected the infected machine to a command-and-control server hosted at “sweeper-monitor-production.up.railway[.]app.” “The script generates a unique machine ID code for the compromised host and shares that with the C2 server,” said Paul McCarty, head of research at Safety. Two compromised machines were reportedly listed on the server.
Postinstall scripts, which run automatically after installing a package, are often overlooked as a threat. Users can be compromised without ever manually running the package, making such attacks especially dangerous in environments where packages are updated regularly without careful review.
The malware was designed to search for wallet files linked to the Solana blockchain. If found, the script attempted to transfer all funds from the wallet to a hard-coded address controlled by the attacker.
Research found clues pointing to the use of Anthropic’s Claude AI chatbot in generating the package. These clues included a heavy use of emojis, detailed JavaScript console messages, informative code comments, and a README file written in a style typical of Claude-generated markdown. Phrases like “Enhanced” matched known patterns from Claude.
This incident shows how attackers are using AI tools to build more convincing and effective malware. It also increases concerns about open-source software security, since AI can help create packages that look safe but carry hidden threats, making it more difficult for maintainers and security teams to detect risks. For more information, see the detailed analysis by Safety.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
