Feed
HighPublished 24 Mar 20265 packages · 4 versions

5 npm typosquats target Solana + Ethereum dev libraries, exfil keys to Telegram

Summary

npm publisher galedonovan shipped five typosquats of legitimate crypto libraries. Each transparently intercepts private keys passed through normal API calls (Base58 decoding for Solana, Wallet construction for Ethereum), exfiltrates them to a hardcoded Telegram bot, then returns the expected result so functionality looks normal.

typosquatcrypto-wallet-draincredential-theftinfostealer
Detected by
Socket
Ecosystems
npm
Packages tracked
5

What happened

On 2026-03-24 Socket disclosed five malicious npm packages published by galedonovan that typosquat well-known Solana and Ethereum developer libraries:

  • raydium-bs58 (1.9.7) — squats bs58 used by Raydium tutorials
  • base-x-64 (0.0.6) — squats base-x
  • bs58-basic (6.0.1) — squats bs58
  • ethersproject-wallet (5.8.1) — squats @ethersproject/wallet
  • base_xd — squats base-x

Each package re-exports the legitimate API surface and forwards calls to the real implementation. The malicious wrapper intercepts at the points where private keys actually touch developer code: decode for Base58 (Solana keypairs typically arrive as Base58 strings) and the Wallet constructor for Ethereum (which accepts a hex-encoded private key). When a key passes through, the package POSTs it to a hardcoded Telegram bot, then returns the legitimate result so the calling code sees nothing unusual.

This "transparent middleman" pattern is particularly dangerous against test environments — the typosquatted dependency passes unit tests, signs transactions correctly, and only the Telegram log reveals the theft. Audience targeting is narrow but extremely high-value: indie crypto-dApp developers whose seed phrases unlock production wallets.

Socket flagged all five packages on 2026-03-24; npm has since removed them. Anyone who installed even briefly should consider every key handled by the affected project as exposed and migrate funds to a fresh wallet.

Affected packages (5)

  • npmbase_xd
  • npmbase-x-64
    0.0.6
  • npmbs58-basic
    6.0.1
  • npmethersproject-wallet
    5.8.1
  • npmraydium-bs58
    1.9.7

Impact

  • Solana and Ethereum developer private keys exfiltrated silently
  • Functional API wrappers mean the typosquat goes undetected in testing
  • Targets crypto dApp developers

What to do

  1. 1Remove the listed packages from any project
  2. 2Treat any keys handled in affected projects as compromised; rotate / move funds

References

npm-2026-03-24-solana-ethereum-typosquats