Threat Research

Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials

SocketDev
Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials
EXTRACT IOC
Malicious npm packages pumptoolforvolumeandcomment and debugdogs silently steal cryptocurrency keys, wallet files, and BullX trading data on Linux/macOS, exfiltrating via Telegram bots to empty wallets and compromise user credentials. (Affected: Cryptocurrency users, BullX platform, Linux/macOS environments)

Keypoints :

  • Two malicious npm packages identified: pumptoolforvolumeandcomment and debugdogs, published by the same threat actor.
  • The malware targets Base58-encoded cryptocurrency keys, wallet files, and BullX trading platform data.
  • Focused on Linux and macOS environments, searching typical POSIX directories like ~/Documents, /media, and /Volumes.
  • Obfuscated payload decoded from base64 within the npm package to hide malicious operations.
  • Exfiltrates stolen data via an attacker-controlled Telegram bot in real-time.
  • debugdogs acts as a wrapper to invoke pumptoolforvolumeandcomment, facilitating easier spread without changing core malware.
  • Targets specifically BullX users, a crypto trading platform, harvesting sensitive trading and credential information.
  • Malicious actor uses npm alias “olumideyo” and associated Telegram bot infrastructure for data theft.
  • This attack demonstrates risks in cryptocurrency ecosystems and software supply chains with infected dependencies.
  • Socket’s security tools provide detection and defense through automated scanning and runtime monitoring.

MITRE Techniques :

  • Obfuscated Files or Information (T1027) – Malware uses base64-encoded payloads to conceal malicious scripts within npm packages.
  • Command and Scripting Interpreter: JavaScript (T1059.007) – Executes malicious JavaScript code to scan for sensitive files and keys.
  • Unsecured Credentials (T1552) – Searches for Base58-encoded cryptocurrency wallet keys and trading credentials across user directories.
  • Exfiltration Over Web Service (T1567.002) – Sends stolen data over Telegram bot API to attacker-controlled chat for real-time access.

Indicator of Compromise :

  • The article includes malicious npm package names (pumptoolforvolumeandcomment, debugdogs) as package-based IOCs.
  • Telegram bot token “7477833207:” and Chat ID “-1002402864775” are specified as exfiltration infrastructure IOCs.
  • File patterns targeting Base58-encoded strings resembling cryptocurrency keys, including regex patterns for wallet credentials.
  • Use of obfuscated base64 payload inside a ‘parts.txt’ file within the npm package signals code hiding technique.

Read more: https://socket.dev/blog/malicious-npm-packages-use-telegram-to-exfiltrate-bullx-credentials

Views: 84

Tags: WINDOWS, EXPLOIT, DISCOVERY, CRYPTO, EXFILTRATION, FINANCIAL, UNIX, IMPACT