Feed
CriticalPublished 9 Jun 20264 packages · 4 versions

SeedSweep: 10-package npm crypto-wallet drainer published by `aicrypto-xzggg`

Summary

On 2026-06-09 between 03:23 and 03:57 UTC the brand-new npm account aicrypto-xzggg (vipsyria88@gmail.com) shipped 10 Web3-flavoured packages — wallet-sdk-9, swap-sdk-87, defi-tools-39, farming-tools-12, and six others — each carrying an identical postinstall payload that reads wallet keystores, seed-phrase files, SSH keys, and .env files across six chains and exfiltrates them to Telegram bot id 8227918239. npm unpublished every release ~8 hours later. Disclosed by Xygeni as the SeedSweep campaign.

typosquatcrypto-wallet-draincredential-theftinfostealer
Threat actor
aicrypto-xzggg (vipsyria88@gmail.com)
Detected by
Xygeni
Also known as
SeedSweep
Ecosystems
npm
Packages tracked
4

What happened

Xygeni's Malicious Code Digest #73 published the SeedSweep disclosure on 2026-06-09. A single fresh npm publisher account, aicrypto-xzggg (stated email vipsyria88@gmail.com, both account and source-control link unverified, registry reputation score strongly negative), uploaded 10 packages in a ~34-minute window starting at 03:23 UTC. Every package carries crypto- or Web3-flavoured naming designed to lure developers searching for DeFi / wallet / farming / swap SDKs.

Payload

Each package ships an identical postinstall hook that runs once per npm install. The script first probes whether the host looks like CI or a sandbox (CI-env-var check, hostname pattern check). If the host looks like a real developer workstation, it sweeps the filesystem for the following high-value targets across six blockchain ecosystems:

  • Solana: ~/.config/solana/id.json, ~/.solana/keypair.json
  • Ethereum: ~/.ethereum/keystore and any keystore JSON under it
  • Bitcoin: ~/.bitcoin/wallet.dat
  • Tron, Sui, Aptos: wallet-key file paths specific to each chain
  • Generic developer secrets: ~/.ssh/id_*, .env files anywhere under the cwd

Everything found is bundled and POSTed to a Telegram bot — bot id 8227918239 — which gives the operator a hands-off mailbox of stolen wallets and credentials. The single most useful IOC for defenders is the bot id; anyone seeing outbound traffic that includes 8227918239 in the URL path or body is hit.

Confirmed packages and versions

Xygeni publicly named four of the ten packages. Cross-referenced directly against the npm registry on 2026-06-10 (each tarball was unpublished on 2026-06-09 ~11:23 UTC but tombstones remain in the registry):

  • wallet-sdk-9 3.7.73 — published 2026-06-09 03:23:51 UTC
  • swap-sdk-87 4.63.78 — published 2026-06-09 03:55:36 UTC
  • defi-tools-39 4.26.29 — published 2026-06-09 03:56:33 UTC
  • farming-tools-12 4.68.54 — published 2026-06-09 03:56:52 UTC

The remaining six package names from the same publisher batch were not enumerated in any source available at ingest time and could not be independently verified against the registry — Xygeni's blog post is the authoritative list. We will backfill the remaining names as additional sources surface.

Detection / response timeline

  • 2026-06-09 03:23 → 03:57 UTC — aicrypto-xzggg publishes all 10 packages
  • 2026-06-09 11:23 UTC — npm-support unpublishes every release; package names remain reserved but install attempts fail with "unpublished"
  • 2026-06-09 (later same day) — Xygeni publishes the SeedSweep write-up

No formal GHSA was filed at disclosure time — the unpublish-and-warn route is npm's usual handling for new-account spray attacks where there is no maintainer chain to invalidate. Treat npm's unpublish as the authoritative remediation.

Affected packages (4)

  • npmdefi-tools-39
    4.26.29
  • npmfarming-tools-12
    4.68.54
  • npmswap-sdk-87
    4.63.78
  • npmwallet-sdk-9
    3.7.73

Impact

  • Direct theft of crypto signing keys and recovery phrases from developer workstations: ~/.config/solana/id.json, ~/.solana/keypair.json, ~/.ethereum/keystore, ~/.bitcoin/wallet.dat, plus Tron / Sui / Aptos wallet paths
  • postinstall hook fires on npm install even without the package being require()d — adding the package to package.json is sufficient exposure
  • SSH private keys (~/.ssh/id_*) and .env files swept from the working tree
  • Telegram bot exfiltration channel bypasses most outbound HTTP egress filters that whitelist api.telegram.org
  • CI/sandbox heuristic check (skip-execute-if-CI) reduces detection-rate-in-sandbox but maximises hit-rate against real developer hosts

What to do

  1. 1Grep your lockfiles and npm caches for any of the 10 known package names below — block / quarantine any match. The four confirmed names (wallet-sdk-9, swap-sdk-87, defi-tools-39, farming-tools-12) carry the version numbers 3.7.73, 4.63.78, 4.26.29, 4.68.54 respectively
  2. 2On any developer workstation that ran npm install for one of these packages: treat every wallet, every recovery phrase, every SSH key, and every .env value as compromised. Move funds from a known-clean machine before rotating
  3. 3Block outbound traffic to api.telegram.org from developer workstations and CI runners that have no legitimate Telegram integration. Alert on outbound to bot id 8227918239
  4. 4Run npm install --ignore-scripts by default; opt-in to lifecycle scripts only for the specific dependencies that require them. Set ignore-scripts=true in repo and global .npmrc
  5. 5Audit npm publish history under your team accounts for any new packages published 2026-06-09 — the same operator may have reached additional accounts in the same window

References

npm-2026-06-09-seedsweep-aicrypto-xzggg