Hackers have been using typosquatting npm packages to weaponize the trust Web3 teams place in open-source dependencies, turning routine installs into a path for wallet theft, secret harvesting, and staged malware delivery.
The campaign is especially dangerous because it blends familiar Ethereum and blockchain branding with postinstall and preinstall abuse, allowing malicious code to execute automatically during installation rather than waiting for a user to run it manually.
The report describes 11 suspicious npm packages that impersonate legitimate blockchain tools and utilities, including names built to resemble Ethereum, Coinbase Wallet, Moralis, Hardhat, and other Web3 projects.
Researchers found that the packages were designed for credential theft, reconnaissance, remote payload delivery, and wallet interception, with some variants capturing private keys and mnemonic phrases directly from wallet creation flows.
One cluster focused on deceptive wrappers such as ethers-jss and coinbase-wallet-utils, which abused lifecycle hooks to run code immediately after installation.
Another cluster centered on moralis-sdk, a trojanized package that copied legitimate project files and documentation but added a malicious postinstall stage; the package had more than 2.7 million downloads, making its exposure far larger than the rest of the campaign.
This operation works because typosquatting exploits small human errors: a developer searching for a library may install a lookalike package before noticing the misspelling.
The attackers also used brand impersonation, obfuscation, and lightweight package structures to make the malware look routine and to reduce suspicion during code review.
The technical tradecraft is more mature than a simple dropper campaign. The report notes credential harvesting from environment variables, .env files, SSH keys, and Web3 configuration files, plus multi-stage payload delivery and even blockchain-assisted command-and-control and exfiltration paths.
Cyfirma said in a report shared with GBhackers, a cryptocurrency-focused software supply chain campaign involving multiple malicious npm packages targeting blockchain developers, Web3 projects.
That matters because it lets attackers move from a single compromised workstation to cloud credentials, CI/CD systems, and production wallets.
Typosquatted npm Packages
This case highlights a structural weakness in blockchain development: Web3 projects often depend on fast-moving open-source packages, frequent updates, and highly privileged secrets stored in developer environments.
At the time of analysis, coinbase-wallet-utils recorded approximately 63 weekly downloads, which increased to 66 weekly downloads during subsequent monitoring.
When malicious code lands in that workflow, the blast radius can include private keys, deployment credentials, and direct financial assets rather than just source code.
The most worrying detail is that the attackers did not rely on one technique. They combined typosquatting, lifecycle hook abuse, obfuscated loaders, remote payload retrieval, and on-chain exfiltration to make detection harder and cleanup more difficult. In other words, this is supply-chain compromise tuned specifically for crypto infrastructure.
The inclusion of a Python script named docker_hunter.py inside a supposedly Ethereum utility-focused npm package is highly suspicious and inconsistent with the package’s claimed functionality.
Analysis of the remaining package contents indicates they are largely identical to the legitimate Moralis SDK source code, examples, and supporting files, suggesting they were copied from the original Moralis project to create the appearance of authenticity.
The article’s findings align with a wider pattern of open-source abuse where attackers prefer package repositories over exploit chains because package trust is already built into developer behavior.
For teams running Web3 applications, this means dependency auditing, package-name verification, lockfile control, and secret scanning are not optional hygiene measures; they are core security controls.
A practical example is a developer installing what looks like a wallet helper library, only to trigger a postinstall script that silently exfiltrates mnemonic phrases and .env contents before deployment.
That is why even small packages with low download counts can be highly dangerous when they target sensitive build environments.
INDICATORS OF COMPROMISE
| No | Indicators of Compromise (IOCs) | Type | Remarks |
| 1. | 53b91117db931d3acbbfd15aa8400bb6691e023d | SHA1 | ethers-jss package archive |
| 2. | d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44 | SHA256 | ethers-jss package archive |
| 3. | 63154cd9c79f9d14eb9be6c4efc2a778d31646ec | SHA1 | coinbase-wallet-utils package archive |
| 4. | 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b | SHA256 | coinbase-wallet-utils package archive |
| 5. | 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7 | SHA1 | moralis-sdk v1.0.1 package archive |
| 6. | 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26 | SHA256 | moralis-sdk v1.0.1 package archive |
| 7. | fcc8a542aad41e758cf6c18571048890be53808e | SHA1 | ganach package archive |
| 8. | 7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda | SHA256 | ganach package archive |
| 9. | 70842cfc27b116d0db2fd7aa33d53a3faf510993 | SHA1 | solidty package archive |
| 10. | e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab | SHA256 | solidty package archive |
| 11. | e1bdcd1a7157f7d047a88ab4573723fe1e861951 | SHA1 | stelar-sdk package archive |
| 12. | 2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49 | SHA256 | stelar-sdk package archive |
| 13. | pastefy.app/RhPBKGli/raw | Payload Hosting URL | Base64-encoded PowerShell payload hosting location |
| 14. | 193[.]233[.]201[.]21:3001 | C2 Infrastructure | Remote payload distribution server retrieved through blockchain mechanism |
| 15. | 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b | Ethereum Smart Contract | Used by malware to retrieve dynamic infrastructure information |
| 16. | 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 | Ethereum Wallet Address | Queried by the smart contract lookup mechanism to obtain C2 configuration |
| 17. | 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f | Ethereum Wallet Address | To transmit the exfiltration transaction |
| 18. | d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88 | SHA256 | hardhat-deploy-utils package archive |
| 19. | bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f | SHA256 | web3-deploy-helper package archive |
| 20. | d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666 | SHA256 | defi-sdk-core package archive |
| 21. | 5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05 | SHA256 | ethers-compat package archive |
| 22. | feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86 | SHA256 | ethereum-dev-utils package archive |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
