The Hacker News
A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers.
"The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor," Socket researcher Kush Pandya said in an analysis.
The packages were uploaded to npm by a user named " flashbotts ," with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below -
@flashbotts/ethers-provider-bundle (52 Downloads)
flashbot-sdk-eth
The List
America News
Slate Politics
Atlanta Black Star Entertainment
Associated Press US and World News Video
Local News in California
Bored Panda
Raw Story