Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Inflated version.
-= Per source details. Do not edit below this line.=-
On npm install, the package's postinstall hook loads src/index.js, which after a 4-second delay and a sandbox/CI-evasion gate enumerates installer-side secrets and uploads them to an attacker-controlled Telegram bot. Targeted paths include ~/.ssh/id_rsa, ~/.ssh/id_ed25519, Solana keypair (~/.config/solana/id.json), Ethereum/Bitcoin/Tron/Sui/Aptos wallet files, .env files, and mnemonic/seed/keystore/secrets files. Stolen contents are POSTed to api.telegram.org/bot<redacted>/sendDocument with chatid 6433587894. The bot token 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs is hardcoded at src/index.js line 6. The code self-identifies with the literal HTML header CRYPTO STEALER (src/index.js line 107). An evasion routine isTestEnvironment() (src/index.js lines 10–22) suppresses payload execution when CI=true, GITHUBACTIONS=true, JENKINSHOME is set, NODEENV is test/development, the hostname matches sandbox/test/ci or a 12-hex docker pattern, or the username contains runner/sandbox/docker — designed to fire only on real developer machines. The package advertises itself as 'Core utilities for blockchain development' with web3/solana/ethereum keywords and a placeholder author 'John Miller', a lure aimed precisely at the crypto-developer population whose machines hold the targeted secrets. The package ships no actual SDK functionality.
{
"malicious-packages-origins": [
{
"versions": [
"4.63.78"
],
"import_time": "2026-06-11T01:21:50.900382802Z",
"modified_time": "2026-06-11T01:21:02Z",
"id": "IN-MAL-2026-005349",
"sha256": "ee4f0ee119ae0ba917865c71f333eaeda049ce99024c50ad7d6c3ce41c1f7005",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swap-sdk-87/MAL-2026-5359.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"hashes": {
"sha1": "9a10fa0507fefd3073cae93beb0d66de8842d880",
"sha512_sri": "sha512-GgkRFViHT7G57ejPVu2yEFx84aM1SzMRtzPOezmjd/IteoWCqxCUtAb3l0QPUrA0xKDcf5lCXDMPZOSNXlG57A=="
},
"filename": "swap-sdk-87-4.63.78.tgz"
}
],
"evidence_files": [
{
"path": "src/index.js",
"sha256": "9d96f8759e8d593b6dd2338aceb08cdb12e9a5613700953e04e66cc8c2e3087c",
"tlsh": "92a184f50ef6b7108192e3e8524f60015476e1873c06ed64769c87987f8896ca2f2efc"
},
{
"path": "package.json",
"sha256": "098e2813542b33866f477766644416072d274f762456b0ce22c566de668c7c09",
"tlsh": "24e02620df209d732cc8da5a0c72818366614e5751503c1c339f914c475d7bf48be40e"
}
]
}