npm Malware Targets Crypto Wallets, MongoDB; Code Points to Turkey

Sonatype discovered ‘crypto-encrypt-ts’, a malicious npm package impersonating the popular CryptoJS library to steal crypto and personal data. Over 1900 downloads reported so far.

Cybersecurity researchers at Sonatype have recently uncovered a malicious software package on the npm registry, named ‘crypto-encrypt-ts‘. This package was designed to appear as an updated version of the widely used but now unsupported CryptoJS library and since its appearance on npm, it has been downloaded over 1,928 times.

The genuine CryptoJS library, despite no longer being maintained, remains very popular, attracting millions of downloads each week. This popularity, along with similar interest in related projects like 'crypto-ts', has made it a target for malicious individuals.

Sonatype’s security researcher Jeff Thornhill analysed this threat, which they are tracking as sonatype-2025-001329. As per Sonatype’s research, shared with Hackread.com, this deceptive ‘crypto-encrypt-ts’ package pretends to be a TypeScript version of the original CryptoJS.

However, instead of providing encryption functionalities, it secretly accesses cryptocurrency wallets and sends sensitive information to attackers. It even copied parts of the real library’s documentation and was uploaded by an npm user named ‘crypto-security-tool’, who has no other packages on the platform.

This malicious package uses a legitimate service called Better Stack, previously known as Logtail, to secretly send stolen data to an attacker-controlled server (s1287874.eu-nbg-2.betterstackdatacom). Better Stack is a platform designed for collecting and analysing software logs to help with debugging and resolving issues. The package specifically uses Better Stack’s ‘@logtail/node‘ npm package within the ‘start.js‘ file of the malicious software.

Further probing revealed that the malicious code, specifically in version 5.4.2, searches the infected computer for MongoDB connection details. If found, it tries to find cryptocurrency wallet addresses, their balances, and environment variables. Interestingly, the presence of comments and messages in the Turkish language within the code suggests a possible origin of this malicious component. Later versions, including v. 5.4.5, target cryptocurrency wallets with over 1000 values and steal private keys, sending information to the attacker’s server via Better Stack service.

The malicious software uses ‘pm2’ to create a scheduled Cron Job for Node.js and Bun applications, allowing them to run continuously and be restarted without downtime. Recent versions contain advanced and confusing code, making it difficult to understand the software’s true intent.

Sonatype reported the harmful package to the npm registry and advised users to remove all versions of ‘crypto-encrypt-ts’. Still, this discovery highlights a growing trend of cybercriminals using typosquatting (creating fake packages with names that closely resemble legitimate ones) to steal cryptocurrency, hoping that users will mistakenly download the malicious version.

Other recent examples of this tactic include fake versions of ‘loadash‘ and ‘ESlint’. Stronger security measures throughout the software development process and increased vigilance when using third-party software from public registries should be organizations’ top priority to stay protected.