Hackers Use AI to Create Malicious NPM Package that Drains Your Crypto Wallet

Cybercriminals have escalated their attack sophistication by leveraging artificial intelligence to create a malicious NPM package that masquerades as a legitimate development tool while secretly draining cryptocurrency wallets.

The package, named @kodane/patch-manager, presents itself as an “NPM Registry Cache Manager” offering license validation and registry optimization features, but harbors a sophisticated cryptocurrency wallet drainer targeting Solana blockchain assets.

The malware campaign demonstrates an alarming evolution in supply chain attacks, where threat actors exploit the trust developers place in open-source packages.

Published on July 28, 2025, the package accumulated over 1,516 downloads across 17 versions within just two days before detection.

The attacker, operating under the username “Kodane,” systematically updated the package to evade detection while maintaining its malicious functionality.

GetSafety researchers identified the package through their malicious package detection technology, uncovering what the malware author brazenly named the “ENHANCED STEALTH WALLET DRAINER” in the source code documentation.

The discovery reveals how threat actors are increasingly using AI to generate convincing technical documentation and code comments that disguise malicious intent behind professional facades.

AI-Powered Deception and Installation Mechanism

The malware’s AI-generated nature becomes evident through several telltale characteristics that distinguish machine-generated code from human-written malware.

The source code contains excessive emojis, abundant console.log messages, and over-commented functions with professionally written English descriptions.

These patterns align with output typically generated by AI coding assistants like Claude, particularly the consistent use of “Enhanced” prefixes and structured markdown documentation.

Upon installation, the package executes a postinstall script that deploys malicious components across different operating systems:-

{
  "scripts": {
    "postinstall": "node scripts/post-install.js",
    "preuninstall": "node scripts/cleanup.js"
  }
}

The malware strategically installs itself in hidden directories that mimic legitimate cache folders: ~/Library/Application Support/npm/registry-cache/ on macOS, ~/.local/share/npm/registry-cache/ on Linux, and %APPDATA%npmregistry-cache on Windows.

On Windows systems, it executes the attrib +H command to make the installation directory completely hidden from standard file explorers.

The persistent background daemon, connection-pool.js, establishes communication with a command-and-control server at sweeper-monitor-production.up.railway.app, which remains accessible and shows evidence of ongoing operations with 890 total logs, 6 successful wallet sweeps, and 7 funding events.

When cryptocurrency wallets are detected, the malware drains funds to the hardcoded Solana address B2XwbrGSXs3LAAcqFqKqGUug5TFA1Bug2NNGH3F3mWNK, cleverly leaving enough balance to cover transaction fees and avoid immediate detection.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches