BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Malicious npm Packages Steal Ethereum Wallets by Impersonating Flashbots

Malicious npm Packages Disguised as Flashbots Tools Target Ethereum Wallets and Developers

  • Researchers have found four harmful npm packages targeting Ethereum wallet credentials.
  • The packages pretend to be official Flashbots tools but steal private keys and mnemonic phrases.
  • The attackers use Telegram bots and Mailtrap for sending stolen data.
  • Some of the packages redirect transactions to attacker-controlled wallets.
  • Vietnamese language comments suggest a Vietnamese-speaking attacker.

Security researchers discovered four malicious software packages on the npm registry that target cryptocurrency developers by stealing sensitive wallet information. The packages, uploaded by a user called flashbotts, were posted between September 2023 and August 19, 2025, and are still available for download.

- Advertisement -

According to Socket researcher Kush Pandya, the harmful packages pretend to be legitimate cryptographic utilities and claim to offer compatibility with Flashbots MEV infrastructure. In reality, these packages extract private keys and mnemonic seed phrases—critical information for accessing cryptocurrency wallets—and send them to an attacker-controlled Telegram bot. One of the packages, @flashbotts/ethers-provider-bundle, also transmits environment variables over SMTP using Mailtrap, which allows communication with external email services.

The most dangerous package, @flashbotts/ethers-provider-bundle, hides its harmful actions under the appearance of offering full API support for Flashbots. It includes a function that forwards all unsigned Ethereum transactions to the attacker’s address and logs information from already signed transactions. Another package, sdk-ethers, can send wallet seed phrases to the Telegram bot, though these functions only activate when called by developers in their code. The package flashbot-sdk-eth also tries to steal private keys, and gram-utilz provides a way to send any data to the attacker’s Telegram chat.

Mnemonic phrases serve as the master password to restore and access cryptocurrency wallets. If attackers steal these phrases, they can take full control of victims’ funds. Socket’s analysis found comments in Vietnamese throughout the code, suggesting the attacker may be Vietnamese-speaking.

Socket stated, “Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets. A compromised private key in this environment can lead to immediate, irreversible theft of funds.”

- Advertisement -

Researchers say these attacks take advantage of trust in familiar package names and legitimate-looking utilities to slip harmful code past users. The findings highlight a growing threat of software supply chain attacks that exploit trust within the cryptocurrency development community.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

WordPress core hit by zero-click RCE bug, patch now live

WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on...

ECB: Stablecoin growth puts European bank deposits at risk

ECB board member Piero Cipollone warned Friday that stablecoin growth could strip European banks...

Tesla Launches Megacharger Network with Bloomington Station

Tesla opened a new public Megacharger station in Bloomington, California, calling it the start...

Apple Overtakes Nvidia as World’s Most Valuable Public Company

Apple briefly surpassed NVIDIA as the world’s most valuable publicly traded company, hitting an...

Galaxy Digital buys naming rights to Texas Tech stadium in 15-year deal

Galaxy Digital signed a 15-year naming rights deal with Texas Tech, renaming the football...

Must Read

9 Best Books On Ethereum And Blockchain Technology

QUICK LINKSHow to Choose Your First Blockchain Book: A Simple Framework1. Define Your Goal: Are you looking to Build, Invest, or Understand?2. Assess Your...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading