A new set of four malicious packages appeared in the npm package registry, targeting Ethereum developers with the intent to steal cryptocurrency wallet credentials.
“The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher Kush Pandya said in an analysis.
A user named “flashbotts“ uploaded the packages, starting as early as September 2023. The most recent upload occurred on August 19, 2025. As of now, all four packages remain available for download:
- @flashbotts/ethers-provider-bundle (52 downloads)
- flashbot-sdk-eth (467 downloads)
- sdk-ethers (90 downloads)
- gram-utilz (83 downloads)
The attackers deliberately impersonated Flashbots because of its critical role in combating the adverse effects of Maximal Extractable Value (MEV) on the Ethereum network. These effects include sandwich, liquidation, backrunning, front-running, and time-bandit attacks.
Among the four, @flashbotts/ethers-provider-bundle poses the greatest danger. It disguises itself as a full Flashbots API–compatible library while secretly exfiltrating environment variables through SMTP using Mailtrap. Beyond that, the package also redirects all unsigned transactions to an attacker-controlled wallet and logs metadata from pre-signed transactions.
Meanwhile, sdk-ethers appears mostly benign but still contains two hidden functions. When developers unknowingly trigger these functions in their own projects, the package transmits mnemonic seed phrases to a Telegram bot.
The second Flashbots impersonator, flashbot-sdk-eth, also attempts to steal private keys. In parallel, gram-utilz provides a modular mechanism for sending arbitrary data to the attacker’s Telegram channel.
Because mnemonic seed phrases act as the “master key” to recover wallets, any theft of these phrases gives threat actors complete control over victims’ funds.
Clues inside the source code add more context: the presence of Vietnamese language comments suggests that the attackers may be Vietnamese-speaking and financially motivated.
Altogether, the findings reveal how the attackers weaponized the trust developers place in npm package to deliver a software supply chain attack. By embedding malicious features inside otherwise harmless-looking code, they attempted to bypass scrutiny.
“Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets,” Pandya warned. “A compromised private key in this environment can lead to immediate, irreversible theft of funds.”
He further emphasized, “By exploiting developer trust in familiar package names and padding malicious code with legitimate utilities, these packages turn routine Web3 development into a direct pipeline to threat actor-controlled Telegram bots.”
Source: TheHackerNews
Read more at Impreza News
