A new set of malicious npm packages impersonating legitimate cryptographic tools are being used to steal Ethereum wallet credentials. These packages secretly exfiltrate private keys and mnemonic seeds to Telegram bots controlled by threat actors, exploiting developer trust in the platform. #Flashbots #EthereumWalletTheft
Keypoints
- The malicious packages impersonate authentic Flashbots and MEV infrastructure tools on npm.
- Thorough analysis revealed that these packages can exfiltrate private keys and mnemonic seeds secretly.
- The most dangerous package β@flashbotts/ethers-provider-bundleβ disguises data exfiltration as legitimate API functionality.
- Threat actors may be Vietnamese-speaking, indicated by Vietnamese comments within the malicious code.
- The attacks leverage trusted platform identities to conduct software supply chain attacks and steal funds.
Read More: https://thehackernews.com/2025/09/malicious-npm-packages-impersonate.html