5 npm typosquats target Solana + Ethereum dev libraries, exfil keys to Telegram
npm publisher galedonovan shipped five typosquats of legitimate crypto libraries. Each transparently intercepts private keys passed through normal API calls (Base58 decoding for Solana, Wallet construction for Ethereum), exfiltrates them to a hardcoded Telegram bot, then returns the expected result so functionality looks normal.
- Detected by
- Socket
- Ecosystems
- npm
- Packages tracked
- 5
What happened
On 2026-03-24 Socket disclosed five malicious npm packages published by galedonovan that typosquat well-known Solana and Ethereum developer libraries:
raydium-bs58(1.9.7) — squatsbs58used by Raydium tutorialsbase-x-64(0.0.6) — squatsbase-xbs58-basic(6.0.1) — squatsbs58ethersproject-wallet(5.8.1) — squats@ethersproject/walletbase_xd— squatsbase-x
Each package re-exports the legitimate API surface and forwards calls to the real implementation. The malicious wrapper intercepts at the points where private keys actually touch developer code: decode for Base58 (Solana keypairs typically arrive as Base58 strings) and the Wallet constructor for Ethereum (which accepts a hex-encoded private key). When a key passes through, the package POSTs it to a hardcoded Telegram bot, then returns the legitimate result so the calling code sees nothing unusual.
This "transparent middleman" pattern is particularly dangerous against test environments — the typosquatted dependency passes unit tests, signs transactions correctly, and only the Telegram log reveals the theft. Audience targeting is narrow but extremely high-value: indie crypto-dApp developers whose seed phrases unlock production wallets.
Socket flagged all five packages on 2026-03-24; npm has since removed them. Anyone who installed even briefly should consider every key handled by the affected project as exposed and migrate funds to a fresh wallet.
Affected packages (5)
- npm
base_xd - npm
base-x-640.0.6 - npm
bs58-basic6.0.1 - npm
ethersproject-wallet5.8.1 - npm
raydium-bs581.9.7
Impact
- Solana and Ethereum developer private keys exfiltrated silently
- Functional API wrappers mean the typosquat goes undetected in testing
- Targets crypto dApp developers
What to do
- 1Remove the listed packages from any project
- 2Treat any keys handled in affected projects as compromised; rotate / move funds