11 Malicious npm Packages with 2.7M+ Downloads Steal SSH Keys, Cloud Credentials, and Crypto Wallets
Cyfirma uncovered 11 malicious npm packages, including moralis-sdk with 2.7M downloads, that steal SSH keys, API tokens, cloud credentials, and cryptocurrency wallet secrets via lifecycle hooks and blockchain-based C2.
A coordinated supply-chain attack on the npm registry has been uncovered by researchers at Cyfirma, involving 11 malicious packages that collectively accumulated over 2.72 million downloads. The campaign targets blockchain developers, Web3 teams, and cloud engineers by stealing SSH private keys, API tokens, cloud credentials, and cryptocurrency wallet secrets. The packages, including moralis-sdk (2.7M+ downloads), ethers-jss, and coinbase-wallet-utils, abuse npm lifecycle hooks to auto-execute malicious code during installation, requiring no additional action from the victim.
The infection method is deceptively simple. Each package uses npm preinstall or postinstall scripts to trigger malicious code the moment a developer runs an install command. The ethers-jss package acts as a malicious wrapper around the legitimate ethers library, intercepting wallet creation and recovery functions to capture private keys and mnemonic phrases, which are then sent to an attacker-controlled server on GitHub Codespaces. It also includes a Python script named docker_hunter.py that performs OSINT-style lookups on Docker Hub repositories tied to blockchain tools.
The coinbase-wallet-utils package focuses on reconnaissance, collecting the victim's hostname, username, environment variables, and working directory, then exfiltrating everything silently using curl. A separate cluster of five packages published by the npm user ethcompat goes further, encrypting stolen credentials with AES-256-GCM and embedding them inside Ethereum blockchain transactions sent to an attacker-controlled wallet, turning the victim's own wallet into the exfiltration channel.
The moralis-sdk package is particularly crafty. It started as a clean copy of the legitimate Moralis SDK in October 2025, then was weaponized through an update that added a heavily obfuscated postinstall.js file. That file uses a YouTube page as a remote activation switch and only delivers its payload if a hidden marker is found, giving the attacker remote control over when the malware activates.
Three typosquatting packages—ganach, solidty, and stelar-sdk—add another layer of innovation. Instead of hard-coding a server address, these packages query an Ethereum smart contract to retrieve infrastructure details dynamically. The malware then downloads platform-specific binaries for Windows, Linux, or macOS depending on the victim's system.
Researchers found several attribution hints. The accounts used to publish the packages had randomly generated names, a common tactic to avoid being traced. Deobfuscated code contained Russian-language comments and variable names, pointing to a financially motivated actor with experience in cryptocurrency-related cybercrime, though no specific group was formally named.
Cyfirma recommends running npm installs with the --ignore-scripts flag to block automatic script execution. Organizations should also deploy Software Composition Analysis tools, avoid storing private keys or seed phrases in plaintext, and rotate any exposed credentials immediately. Developers in Web3 environments should verify publisher identity, download history, and repository ownership before adding any unfamiliar package to their project.