AI-generated cryptographic malware disguised as routine packages drained wallets in seconds, leveraging an open source ecosystem, sparking urgent concerns across the blockchain and developer community.
Inside Crypto Wallet Drainer: How one script moves funds in seconds
Crypto investors were wary after Cybersecurity Company Safety revealed on July 31 that a malicious JavaScript package designed with artificial intelligence (AI) was being used to steal funds from crypto wallets. The package, disguised as a benign utility called @kodane/patch-manager in the Node Package Manager (NPM) registry, contained an embedded script designed to drain the balance of the wallet. Safe Research Director Paul McCarty explained.
Safety’s malicious package detection technology has discovered AI-generated malicious NPM packages that act as sophisticated cryptocurrency wallet drainers.
The package ran post-installation scripts, expanded the renamed files (Monitor.js, Sweeper.js, and Utils.js), and expanded hidden directories across Linux, Windows, and MacOS systems. The background script, Connection-Pool.js, maintained an active connection to the Command and Control (C2) server and scanned the wallet file for infected devices. Transaction-Cache.js has launched an actual theft. “If a Crypto wallet file is found, this file actually ‘sweeps’, which is the emission of funds from the wallet. Do this by identifying what’s in your wallet and draining most of it. ”
The stolen assets were routed to a specific address on the Solana blockchain via hard-coded remote procedure call (RPC) endpoints. McCarty added:
The drain is designed to steal funds from unsuspecting developers and users of their applications.
The malware released on July 28th and removed by July 30th has been downloaded more than 1,500 times before NPM maliciously flagged it. Vancouver-based safety is known for its preventative first approach to software supply chain security. Its AI-driven system analyzes millions of open source package updates and maintains its own database that detects vulnerabilities four times more than public sources. The company’s tools are used by individual developers, Fortune 500 companies, and government agencies.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
