Socket

Socket's Threat Research Team discovered five malicious npm packages published under the account galedonovan that typosquat legitimate Solana and Ethereum crypto libraries. Each package intercepts private key operations at runtime — Base58 decode() calls for Solana and the Wallet constructor for Ethereum — and silently exfiltrates keys as plaintext to a hardcoded Telegram bot before returning normal results. The campaign targets developers building on Solana DEX integrations and Ethereum wallets. Forensic analysis reveals shared artifacts across all five packages: identical C2 infrastructure, shared typos in package.json, byte-identical CJS binaries, and a transitive dependency chain where bs58-basic pulls in the malicious base-x-64. Developers should immediately audit for raydium-bs58, base-x-64, base_xd, bs58-basic, and ethersproject-wallet, treat any exposed private keys as compromised, and use only the official scoped packages.