Feed
CriticalPublished 13 Jun 2026Updated 21 Jun 202611 packages · 12 versions

Cyfirma multi-stage crypto-wallet campaign: moralis-sdk, ethers-jss, coinbase-wallet-utils, plus the `ethcompat` ethereum-C2 cluster

Summary

Cyfirma Research disclosed an 11-package npm campaign targeting Web3 / blockchain developers across three clusters: a YouTube-page-gated postinstall trojan in moralis-sdk (2.7M+ downloads from the legitimate package name), the ethers-jss / coinbase-wallet-utils private-key sweepers (both yanked 2026-06-10), three long-lived typosquats (ganach, solidty, stelar-sdk, live since 2024), and the ethcompat 5-pack (hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, ethereum-dev-utils) that AES-256-GCM-encrypts stolen creds and embeds them in Ethereum transactions to an attacker wallet.

typosquatcrypto-wallet-draincredential-theftinfostealerobfuscation
Detected by
Cyfirma
Ecosystems
npm
Packages tracked
11

What happened

Cyfirma Research published the multi-stage cryptocurrency npm campaign disclosure mid-June 2026, surfacing 11 malicious npm packages targeting blockchain developers, Web3 projects, cryptocurrency wallet operators, and cloud-native development environments. The campaign spans three operationally distinct clusters that share TTPs and victim profile but use different staging / exfil paths. Cyfirma identifies the campaign as ongoing, with several of the packages still live on the registry at time of disclosure.

Cluster 1 — moralis-sdk YouTube-gated multi-stage loader (the headline finding)

moralis-sdk was published on 2025-10-28 as a clean clone of the legitimate Moralis JS SDK and accumulated ~2.7M cumulative downloads against the legitimate package name before the campaign weaponised it. Version 1.0.1 (2025-11-11) added a heavily-obfuscated postinstall.js that uses a specific YouTube watch-page as a remote activation switch — the payload only delivers if a hidden marker string is found in the page body. This conditional execution is what kept the package below detection thresholds for ~6 months. Capabilities include cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, blockchain-based infrastructure retrieval, and multi-stage payload delivery. Both versions remain live on the npm registry at time of writing.

Cluster 2 — ethers-jss / coinbase-wallet-utils private-key sweepers

Published within minutes of each other on 2026-05-09 (01:58 and 02:01 UTC respectively) by what appears to be a coordinated single operator. ethers-jss@6.13.1 impersonates the legitimate ethers JS library v6 line; coinbase-wallet-utils@1.0.0 impersonates the Coinbase Wallet SDK utility surface. The Coinbase package starts with reconnaissance — host name, username, env vars, working directory — and exfils via curl. Both were yanked by npm-support on 2026-06-10 at 11:40 UTC and replaced with 0.0.1-security holders.

Cluster 3 — ethcompat Ethereum-blockchain-C2 5-pack

The most technically interesting cluster. The npm publisher ethcompat released five packages on 2026-05-02 within ~15 seconds of each other (01:52:51 → 01:53:13 UTC):

  • hardhat-deploy-utils@1.0.0
  • web3-deploy-helper@1.0.0
  • defi-sdk-core@1.0.0
  • ethers-compat@1.0.0
  • ethereum-dev-utils@1.0.0

Combined downloads: 2,236. Each carries a postinstall script that harvests deployment credentials, SSH keys, mnemonic seed phrases, and .env-resident secrets, AES-256-GCM-encrypts the bundle, and then embeds the ciphertext inside the data payload of an Ethereum transaction sent to a hard-coded attacker wallet. This converts the victim's own Ethereum wallet into the exfiltration channel — every block explorer is a covert C2 retrieval point, no DNS / HTTPS exfil signature, and the operator can recover the encrypted payload from any read-only Ethereum node. As of disclosure all five packages were still live on the registry.

Cluster 4 — ganach / solidty / stelar-sdk long-lived typosquats

Three dormant typosquats published on 2024-11-01 by a separate publisher chain that Cyfirma links to the same operator infrastructure:

  • ganach@7.9.2 (typosquat of ganache)
  • solidty@0.0.1 (typosquat of solidity)
  • stelar-sdk@12.3.0 (typosquat of stellar-sdk)

Version numbers were chosen to track the legitimate target packages' real release line, increasing the chance of accidental installation via fat-finger. All three remain live on npm at time of cataloguing.

Common payload signal

Across all four clusters Cyfirma identifies overlapping tactics: typosquatting, postinstall / preinstall abuse, credential harvesting, wallet theft, blockchain-based C2 and exfiltration, and multi-stage payload delivery. The Ethereum-transaction-as-exfil mechanism in the ethcompat cluster is the distinguishing IOC — if any of your developer wallets has emitted a transaction with a non-empty data payload to an unfamiliar address in May or June 2026, treat the host as compromised.

Status at ingest

Only ethers-jss and coinbase-wallet-utils have been actioned by npm-support as of 2026-06-15. moralis-sdk (the highest-download / highest-impact package in the campaign), the ethcompat 5-pack, and the three 2024-vintage typosquats are still installable. Lockfile audits and registry-level blocks are required because npm has not delisted these yet.

2026-06-21 status re-check

Eight days after Cyfirma's disclosure the npm registry still serves all nine of the originally-still-live packages: moralis-sdk@1.0.0/1.0.1 (no deprecation, dist-tags.latest = 1.0.1), the ethcompat 5-pack (each single-version 1.0.0, no deprecation), and the three 2024-vintage typosquats (ganach@7.9.2, solidty@0.0.1, stelar-sdk@12.3.0). ethers-jss and coinbase-wallet-utils remain replaced with 0.0.1-security holders from 2026-06-10. Defenders need ecosystem-level lockfile blocks because npm-support has not actioned the remaining nine packages in the eight days since disclosure.

Affected packages (11)

  • npmcoinbase-wallet-utils
    1.0.0
  • npmdefi-sdk-core
    1.0.0
  • npmethereum-dev-utils
    1.0.0
  • npmethers-compat
    1.0.0
  • npmethers-jss
    6.13.1
  • npmganach
    7.9.2
  • npmhardhat-deploy-utils
    1.0.0
  • npmmoralis-sdk
    1.0.01.0.1
  • npmsolidty
    0.0.1
  • npmstelar-sdk
    12.3.0
  • npmweb3-deploy-helper
    1.0.0

Impact

  • postinstall script fires on npm install — adding any package to package.json and running install is sufficient exposure; no require() needed
  • moralis-sdk uses a YouTube page as a remote activation switch and only delivers its payload when a hidden marker is found, so sandbox / CI runs may not detect compromise
  • Direct theft of Ethereum private keys, mnemonic seed phrases, MetaMask vault material, hardware-wallet derivation paths, and any *.json / *.env file in the developer working tree
  • SSH private keys (~/.ssh/id_*), AWS credentials, GitHub PATs, npm publish tokens, and environment variables harvested alongside wallet secrets
  • ethcompat cluster turns the victim's own Ethereum wallet into the exfiltration channel: stolen credentials are AES-256-GCM encrypted and embedded as transaction data payloads to an attacker-controlled address — every blockchain explorer is a covert C2 retrieval point
  • moralis-sdk 1.0.0 / 1.0.1 are STILL LIVE on the npm registry at time of writing (~2.7M cumulative downloads); ganach, solidty, and stelar-sdk typosquats have been live since 2024-11-01 and are still installable
  • ethers-jss and coinbase-wallet-utils were yanked by npm-support on 2026-06-10 and replaced with 0.0.1-security holders, but lockfiles that pinned to the malicious versions still resolve

What to do

  1. 1Grep your lockfiles, node_modules, and CI install caches for any of the 11 affected package names — remove and quarantine any match. The Web3 / blockchain developer audience is the entire target — Hardhat, Ethers.js, Web3.js, Solidity, Stellar, Moralis, and Coinbase-Wallet integrations are all in scope
  2. 2Treat any host that ran npm install for these packages as fully compromised: rotate Ethereum private keys, MetaMask seed phrases, hardware-wallet recovery phrases, SSH keys, npm publish tokens, AWS credentials, and GitHub PATs from a known-clean machine BEFORE moving funds
  3. 3Audit Ethereum on-chain history for outbound transactions from your developer wallets to unfamiliar addresses, particularly transactions with non-empty data payloads — the ethcompat cluster uses transaction data as its exfil channel
  4. 4Run npm install --ignore-scripts by default; opt-in to lifecycle scripts only for vetted dependencies. Set ignore-scripts=true in repo-local and global .npmrc
  5. 5Block outbound HTTPS to YouTube from CI runners and untrusted developer workstations — moralis-sdk uses a YouTube watch-page as its activation oracle, and the legitimate engineering use cases on a build runner are essentially nil
  6. 6Pin Web3 SDKs to the verified canonical name and registry of the legitimate project — ganache, solidity, and stellar-sdk (the legitimate names) are what you want; ganach, solidty, stelar-sdk are the typosquat traps

References

npm-2026-06-13-cyfirma-moralis-ethcompat-cluster