Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys

Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys

Sep 06, 2025Ravie LakshmananSoftware Security / Cryptocurrency

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers.

“The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher Kush Pandya said in an analysis.

Audit and Beyond

The packages were uploaded to npm by a user named “flashbotts,” with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below –

The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of Maximal Extractable Value (MEV) on the Ethereum network, such as sandwich, liquidation, backrunning, front-running, and time-bandit attacks.

The most dangerous of the identified libraries is “@flashbotts/ethers-provider-bundle,” which uses its functional cover to conceal the malicious operations. Under the guise of offering full Flashbots API compatibility, the package incorporates stealthy functionality to exfiltrate environment variables over SMTP using Mailtrap.

In addition, the npm package implements a transaction manipulation function to redirect all unsigned transactions to an attacker-controlled wallet address and log metadata from pre-signed transactions.

sdk-ethers, per Socket, is mostly benign but includes two functions to transmit mnemonic seed phrases to a Telegram bot that are only activated when they are invoked by unwitting developers in their own projects.

The second package to impersonate Flashbots, flashbot-sdk-eth, is also designed to trigger the theft of private keys, while gram-utilz offers a modular mechanism for exfiltrating arbitrary data to the threat actor’s Telegram chat.

With mnemonic seed phrases serving as the “master key” to recover access to cryptocurrency wallets, theft of these sequences of words can allow threat actors to break into victims’ wallets and gain complete control over their wallets.

The presence of Vietnamese language comments in the source code suggest that the financially-motivated threat actor may be Vietnamese-speaking.

CIS Build Kits

The findings indicate a deliberate effort on part of the attackers to weaponize the trust associated with the platform to conduct software supply chain attacks, not to mention obscure the malicious functionality amidst mostly harmless code to sidestep scrutiny.

“Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets,” Pandya pointed out. “A compromised private key in this environment can lead to immediate, irreversible theft of funds.”

“By exploiting developer trust in familiar package names and padding malicious code with legitimate utilities, these packages turn routine Web3 development into a direct pipeline to threat actor-controlled Telegram bots.”

Similar Posts

  • 10+ Best Free Personal Portfolio WordPress Themes in 2026

    Portfolio websites are a key part of any creative professional’s branding. They’re a place to showcase your work and share your expertise with prospective clients. On a personal level, they’re also a nice way to look back on your past achievements. WordPress is the perfect tool for creating an online portfolio. The content management system…

  • 10+ Best Text Animation Presets & Templates for Premiere Pro

    Text animation is more than decoration. It controls pace, holds attention, and adds rhythm to the edit. A well-timed word hitting the screen can do more than a fancy transition. Whether you’re making YouTube content, detailed tutorials, product promos, reels, vlogs, or title sequences, good animated typography can make the difference between flat and finished….

  • AI is changing how shoppers find your products

    AI is already reshaping how shoppers discover, compare, and purchase products. Here’s what’s happening, why it matters, and what WooCommerce merchants should know right now. If you sell online, the way your customers find you is changing. Half of all consumers now use AI when searching the internet, according to McKinsey. Shoppers are asking ChatGPT…

  • ServiceNow Knowledge 2024: New Generative AI Features Unveiled

    In May 2024, a 20,000 strong ServiceNow community descended on Las Vegas for 3 days of breakout sessions, training, thought leadership, networking, and partying at Knowledge 24. Knowledge is ServiceNow’s flagship annual conference for customers, partners, and advocates. Although the event is typically centred around customer stories, there were several exciting new announcements that we’ll…