SeedSweep: 10-package npm crypto-wallet drainer published by `aicrypto-xzggg`
On 2026-06-09 between 03:23 and 03:57 UTC the brand-new npm account aicrypto-xzggg (vipsyria88@gmail.com) shipped 10 Web3-flavoured packages — wallet-sdk-9, swap-sdk-87, defi-tools-39, farming-tools-12, and six others — each carrying an identical postinstall payload that reads wallet keystores, seed-phrase files, SSH keys, and .env files across six chains and exfiltrates them to Telegram bot id 8227918239. npm unpublished every release ~8 hours later. Disclosed by Xygeni as the SeedSweep campaign.
- Threat actor
- aicrypto-xzggg (vipsyria88@gmail.com)
- Detected by
- Xygeni
- Also known as
- SeedSweep
- Ecosystems
- npm
- Packages tracked
- 4
What happened
Xygeni's Malicious Code Digest #73 published the SeedSweep disclosure on 2026-06-09. A single fresh npm publisher account, aicrypto-xzggg (stated email vipsyria88@gmail.com, both account and source-control link unverified, registry reputation score strongly negative), uploaded 10 packages in a ~34-minute window starting at 03:23 UTC. Every package carries crypto- or Web3-flavoured naming designed to lure developers searching for DeFi / wallet / farming / swap SDKs.
Payload
Each package ships an identical postinstall hook that runs once per npm install. The script first probes whether the host looks like CI or a sandbox (CI-env-var check, hostname pattern check). If the host looks like a real developer workstation, it sweeps the filesystem for the following high-value targets across six blockchain ecosystems:
- Solana:
~/.config/solana/id.json,~/.solana/keypair.json - Ethereum:
~/.ethereum/keystoreand any keystore JSON under it - Bitcoin:
~/.bitcoin/wallet.dat - Tron, Sui, Aptos: wallet-key file paths specific to each chain
- Generic developer secrets:
~/.ssh/id_*,.envfiles anywhere under the cwd
Everything found is bundled and POSTed to a Telegram bot — bot id 8227918239 — which gives the operator a hands-off mailbox of stolen wallets and credentials. The single most useful IOC for defenders is the bot id; anyone seeing outbound traffic that includes 8227918239 in the URL path or body is hit.
Confirmed packages and versions
Xygeni publicly named four of the ten packages. Cross-referenced directly against the npm registry on 2026-06-10 (each tarball was unpublished on 2026-06-09 ~11:23 UTC but tombstones remain in the registry):
wallet-sdk-93.7.73— published 2026-06-09 03:23:51 UTCswap-sdk-874.63.78— published 2026-06-09 03:55:36 UTCdefi-tools-394.26.29— published 2026-06-09 03:56:33 UTCfarming-tools-124.68.54— published 2026-06-09 03:56:52 UTC
The remaining six package names from the same publisher batch were not enumerated in any source available at ingest time and could not be independently verified against the registry — Xygeni's blog post is the authoritative list. We will backfill the remaining names as additional sources surface.
Detection / response timeline
- 2026-06-09 03:23 → 03:57 UTC —
aicrypto-xzgggpublishes all 10 packages - 2026-06-09 11:23 UTC — npm-support unpublishes every release; package names remain reserved but install attempts fail with "unpublished"
- 2026-06-09 (later same day) — Xygeni publishes the SeedSweep write-up
No formal GHSA was filed at disclosure time — the unpublish-and-warn route is npm's usual handling for new-account spray attacks where there is no maintainer chain to invalidate. Treat npm's unpublish as the authoritative remediation.
Affected packages (4)
- npm
defi-tools-394.26.29 - npm
farming-tools-124.68.54 - npm
swap-sdk-874.63.78 - npm
wallet-sdk-93.7.73
Impact
- Direct theft of crypto signing keys and recovery phrases from developer workstations:
~/.config/solana/id.json,~/.solana/keypair.json,~/.ethereum/keystore,~/.bitcoin/wallet.dat, plus Tron / Sui / Aptos wallet paths postinstallhook fires onnpm installeven without the package beingrequire()d — adding the package topackage.jsonis sufficient exposure- SSH private keys (
~/.ssh/id_*) and.envfiles swept from the working tree - Telegram bot exfiltration channel bypasses most outbound HTTP egress filters that whitelist
api.telegram.org - CI/sandbox heuristic check (skip-execute-if-CI) reduces detection-rate-in-sandbox but maximises hit-rate against real developer hosts
What to do
- 1Grep your lockfiles and
npmcaches for any of the 10 known package names below — block / quarantine any match. The four confirmed names (wallet-sdk-9,swap-sdk-87,defi-tools-39,farming-tools-12) carry the version numbers3.7.73,4.63.78,4.26.29,4.68.54respectively - 2On any developer workstation that ran
npm installfor one of these packages: treat every wallet, every recovery phrase, every SSH key, and every.envvalue as compromised. Move funds from a known-clean machine before rotating - 3Block outbound traffic to
api.telegram.orgfrom developer workstations and CI runners that have no legitimate Telegram integration. Alert on outbound to bot id8227918239 - 4Run
npm install --ignore-scriptsby default; opt-in to lifecycle scripts only for the specific dependencies that require them. Setignore-scripts=truein repo and global.npmrc - 5Audit npm publish history under your team accounts for any new packages published 2026-06-09 — the same operator may have reached additional accounts in the same window