Malicious npm Packages Target Ethereum and Solana Private Keys

Security researchers at the software supply chain protection company Socket have identified five malicious packages hosted on the npm registry designed to compromise the security of blockchain developers. These packages utilize a technique known as typosquatting to deceive users into installing fraudulent code that specifically targets sensitive data within the Ethereum and Solana ecosystems. By hijacking standard development functions, the malware exfiltrates private keys and transmits them to attackers, posing a significant risk to digital asset security.

Mechanism of the Typosquatting Attack

The threat actors behind this campaign registered package names that closely resemble popular legitimate libraries, hoping that developers would make minor spelling errors during installation. According to the report released on March 28, 2026, four of the identified packages were tailored to target Solana developers, while one was directed at those working on the Ethereum blockchain. These scripts are designed to remain dormant until a developer calls specific functions related to wallet management or transaction signing.

• Function Hijacking: The malware intercepts legitimate function calls to gather sensitive data.
• Data Exfiltration: Stolen private keys are bundled and sent to the attackers via a Telegram bot API.
• Stealth Execution: After the theft occurs, the package returns the expected results to the user, making the breach difficult to detect immediately.

Response and Risk Mitigation

Socket researchers have officially submitted a request to the npm security team for the immediate removal of these malicious assets from the public repository. Typosquatting remains one of the most common vectors for supply chain attacks in the open-source community, as it exploits human error rather than software vulnerabilities. Experts emphasize that once a private key is compromised, the attacker has full control over the associated wallet, regardless of the underlying blockchain's security.

"The malicious packages hijack key functions called by developers and upload private key data before returning normal results", stated the security report.

In light of these findings, developers are urged to audit their project dependencies and verify the authenticity of all third-party libraries. Individuals who suspect they may have interacted with these specific packages are advised to immediately transfer all funds to new, secure hardware wallets and rotate any compromised credentials. As the complexity of DeFi and Web3 development grows, maintaining rigorous security standards during the software integration process remains a critical defense against evolving cyber threats.