Socket's Threat Research Team discovered five malicious npm packages published under the account galedonovan that typosquat legitimate Solana and Ethereum crypto libraries. Each package intercepts private key operations at runtime — Base58 decode() calls for Solana and the Wallet constructor for Ethereum — and silently exfiltrates keys as plaintext to a hardcoded Telegram bot before returning normal results. The campaign targets developers building on Solana DEX integrations and Ethereum wallets. Forensic analysis reveals shared artifacts across all five packages: identical C2 infrastructure, shared typos in package.json, byte-identical CJS binaries, and a transitive dependency chain where bs58-basic pulls in the malicious base-x-64. Developers should immediately audit for raydium-bs58, base-x-64, base_xd, bs58-basic, and ethersproject-wallet, treat any exposed private keys as compromised, and use only the official scoped packages.