“The threat actor, aptly named @crypto-exploit, calculates a percent of the total target wallet and then attempts to transfer that amount to its own controlled wallet address.”

Socket outlined the campaign’s progression across four increasingly sophisticated attempts:

Downloaded 350 times, this initial package impersonated token trading tools. Socket flagged it as malware and noted:

“pancake_uniswap_validators_utils_snipe was the threat actor’s first attempt to drain crypto wallets.”

The malicious code includes misleading console logs and uses a function named validateToken() to cloak its true purpose.

An improved version with 445 downloads, this package pretended to fetch “oracle statistics” while quietly stealing BSC wallet funds.

“This code pretends to collect oracle statistics… It has no logging, making it more stealthy.”

Here, the attacker introduced typosquatting—creating a package name that mimics the legitimate ethereum-smart-contracts.
It targeted Ethereum users and increased the theft amount to 85% of the wallet balance:

“This code calculates 85% of the wallet instead of 80%, increasing the amount that the threat actor steals.”

The most refined version and the most downloaded with 1,054 downloads, env-process impersonated the legitimate Node.js process module:

“The threat actor wanted to typosquat this package in the hopes that cryptocurrency users would download it instead.”

Notably, all packages shared similar obfuscation methods using hexadecimal-encoded variables, environment variable dependencies, and the same malicious wallet address.

According to Socket, the wallet linked to the threat actor received multiple ETH deposits totaling nearly $450, followed by an outgoing transfer:

“The address was active around the time the packages were released… it is possible that the exploit worked.”

Socket reported all packages to npm, but the incident underscores a larger risk in the open-source software supply chain, especially for blockchain developers.