Cyfirma multi-stage crypto-wallet campaign: moralis-sdk, ethers-jss, coinbase-wallet-utils, plus the `ethcompat` ethereum-C2 cluster
Cyfirma Research disclosed an 11-package npm campaign targeting Web3 / blockchain developers across three clusters: a YouTube-page-gated postinstall trojan in moralis-sdk (2.7M+ downloads from the legitimate package name), the ethers-jss / coinbase-wallet-utils private-key sweepers (both yanked 2026-06-10), three long-lived typosquats (ganach, solidty, stelar-sdk, live since 2024), and the ethcompat 5-pack (hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, ethereum-dev-utils) that AES-256-GCM-encrypts stolen creds and embeds them in Ethereum transactions to an attacker wallet.
- Detected by
- Cyfirma
- Ecosystems
- npm
- Packages tracked
- 11
What happened
Cyfirma Research published the multi-stage cryptocurrency npm campaign disclosure mid-June 2026, surfacing 11 malicious npm packages targeting blockchain developers, Web3 projects, cryptocurrency wallet operators, and cloud-native development environments. The campaign spans three operationally distinct clusters that share TTPs and victim profile but use different staging / exfil paths. Cyfirma identifies the campaign as ongoing, with several of the packages still live on the registry at time of disclosure.
Cluster 1 — moralis-sdk YouTube-gated multi-stage loader (the headline finding)
moralis-sdk was published on 2025-10-28 as a clean clone of the legitimate Moralis JS SDK and accumulated ~2.7M cumulative downloads against the legitimate package name before the campaign weaponised it. Version 1.0.1 (2025-11-11) added a heavily-obfuscated postinstall.js that uses a specific YouTube watch-page as a remote activation switch — the payload only delivers if a hidden marker string is found in the page body. This conditional execution is what kept the package below detection thresholds for ~6 months. Capabilities include cryptocurrency wallet interception, private key and mnemonic phrase theft, SSH credential harvesting, environment variable collection, sensitive file discovery, blockchain-based infrastructure retrieval, and multi-stage payload delivery. Both versions remain live on the npm registry at time of writing.
Cluster 2 — ethers-jss / coinbase-wallet-utils private-key sweepers
Published within minutes of each other on 2026-05-09 (01:58 and 02:01 UTC respectively) by what appears to be a coordinated single operator. ethers-jss@6.13.1 impersonates the legitimate ethers JS library v6 line; coinbase-wallet-utils@1.0.0 impersonates the Coinbase Wallet SDK utility surface. The Coinbase package starts with reconnaissance — host name, username, env vars, working directory — and exfils via curl. Both were yanked by npm-support on 2026-06-10 at 11:40 UTC and replaced with 0.0.1-security holders.
Cluster 3 — ethcompat Ethereum-blockchain-C2 5-pack
The most technically interesting cluster. The npm publisher ethcompat released five packages on 2026-05-02 within ~15 seconds of each other (01:52:51 → 01:53:13 UTC):
hardhat-deploy-utils@1.0.0web3-deploy-helper@1.0.0defi-sdk-core@1.0.0ethers-compat@1.0.0ethereum-dev-utils@1.0.0
Combined downloads: 2,236. Each carries a postinstall script that harvests deployment credentials, SSH keys, mnemonic seed phrases, and .env-resident secrets, AES-256-GCM-encrypts the bundle, and then embeds the ciphertext inside the data payload of an Ethereum transaction sent to a hard-coded attacker wallet. This converts the victim's own Ethereum wallet into the exfiltration channel — every block explorer is a covert C2 retrieval point, no DNS / HTTPS exfil signature, and the operator can recover the encrypted payload from any read-only Ethereum node. As of disclosure all five packages were still live on the registry.
Cluster 4 — ganach / solidty / stelar-sdk long-lived typosquats
Three dormant typosquats published on 2024-11-01 by a separate publisher chain that Cyfirma links to the same operator infrastructure:
ganach@7.9.2(typosquat ofganache)solidty@0.0.1(typosquat ofsolidity)stelar-sdk@12.3.0(typosquat ofstellar-sdk)
Version numbers were chosen to track the legitimate target packages' real release line, increasing the chance of accidental installation via fat-finger. All three remain live on npm at time of cataloguing.
Common payload signal
Across all four clusters Cyfirma identifies overlapping tactics: typosquatting, postinstall / preinstall abuse, credential harvesting, wallet theft, blockchain-based C2 and exfiltration, and multi-stage payload delivery. The Ethereum-transaction-as-exfil mechanism in the ethcompat cluster is the distinguishing IOC — if any of your developer wallets has emitted a transaction with a non-empty data payload to an unfamiliar address in May or June 2026, treat the host as compromised.
Status at ingest
Only ethers-jss and coinbase-wallet-utils have been actioned by npm-support as of 2026-06-15. moralis-sdk (the highest-download / highest-impact package in the campaign), the ethcompat 5-pack, and the three 2024-vintage typosquats are still installable. Lockfile audits and registry-level blocks are required because npm has not delisted these yet.
2026-06-21 status re-check
Eight days after Cyfirma's disclosure the npm registry still serves all nine of the originally-still-live packages: moralis-sdk@1.0.0/1.0.1 (no deprecation, dist-tags.latest = 1.0.1), the ethcompat 5-pack (each single-version 1.0.0, no deprecation), and the three 2024-vintage typosquats (ganach@7.9.2, solidty@0.0.1, stelar-sdk@12.3.0). ethers-jss and coinbase-wallet-utils remain replaced with 0.0.1-security holders from 2026-06-10. Defenders need ecosystem-level lockfile blocks because npm-support has not actioned the remaining nine packages in the eight days since disclosure.
Affected packages (11)
- npm
coinbase-wallet-utils1.0.0 - npm
defi-sdk-core1.0.0 - npm
ethereum-dev-utils1.0.0 - npm
ethers-compat1.0.0 - npm
ethers-jss6.13.1 - npm
ganach7.9.2 - npm
hardhat-deploy-utils1.0.0 - npm
moralis-sdk1.0.01.0.1 - npm
solidty0.0.1 - npm
stelar-sdk12.3.0 - npm
web3-deploy-helper1.0.0
Impact
postinstallscript fires onnpm install— adding any package topackage.jsonand running install is sufficient exposure; norequire()neededmoralis-sdkuses a YouTube page as a remote activation switch and only delivers its payload when a hidden marker is found, so sandbox / CI runs may not detect compromise- Direct theft of Ethereum private keys, mnemonic seed phrases, MetaMask vault material, hardware-wallet derivation paths, and any
*.json/*.envfile in the developer working tree - SSH private keys (
~/.ssh/id_*), AWS credentials, GitHub PATs, npm publish tokens, and environment variables harvested alongside wallet secrets ethcompatcluster turns the victim's own Ethereum wallet into the exfiltration channel: stolen credentials are AES-256-GCM encrypted and embedded as transactiondatapayloads to an attacker-controlled address — every blockchain explorer is a covert C2 retrieval pointmoralis-sdk1.0.0 / 1.0.1 are STILL LIVE on the npm registry at time of writing (~2.7M cumulative downloads);ganach,solidty, andstelar-sdktyposquats have been live since 2024-11-01 and are still installableethers-jssandcoinbase-wallet-utilswere yanked by npm-support on 2026-06-10 and replaced with0.0.1-securityholders, but lockfiles that pinned to the malicious versions still resolve
What to do
- 1Grep your lockfiles,
node_modules, and CI install caches for any of the 11 affected package names — remove and quarantine any match. The Web3 / blockchain developer audience is the entire target — Hardhat, Ethers.js, Web3.js, Solidity, Stellar, Moralis, and Coinbase-Wallet integrations are all in scope - 2Treat any host that ran
npm installfor these packages as fully compromised: rotate Ethereum private keys, MetaMask seed phrases, hardware-wallet recovery phrases, SSH keys, npm publish tokens, AWS credentials, and GitHub PATs from a known-clean machine BEFORE moving funds - 3Audit Ethereum on-chain history for outbound transactions from your developer wallets to unfamiliar addresses, particularly transactions with non-empty
datapayloads — theethcompatcluster uses transaction data as its exfil channel - 4Run
npm install --ignore-scriptsby default; opt-in to lifecycle scripts only for vetted dependencies. Setignore-scripts=truein repo-local and global.npmrc - 5Block outbound HTTPS to YouTube from CI runners and untrusted developer workstations —
moralis-sdkuses a YouTube watch-page as its activation oracle, and the legitimate engineering use cases on a build runner are essentially nil - 6Pin Web3 SDKs to the verified canonical name and registry of the legitimate project —
ganache,solidity, andstellar-sdk(the legitimate names) are what you want;ganach,solidty,stelar-sdkare the typosquat traps
References
- CyfirmaNew NPM Supply Chain Campaign Identified: A Multi-Stage Cryptocurrency Malware with More Than 2.7 million Downloadscyfirma.com
- npmmoralis-sdk on npm (1.0.0 / 1.0.1 still live)registry.npmjs.org
- npmethers-jss on npm (6.13.1 replaced with 0.0.1-security 2026-06-10)registry.npmjs.org
- npmcoinbase-wallet-utils on npm (1.0.0 replaced with 0.0.1-security 2026-06-10)registry.npmjs.org
- npmhardhat-deploy-utils on npm (1.0.0 still live, ethcompat publisher)registry.npmjs.org
- npmweb3-deploy-helper on npm (1.0.0 still live, ethcompat publisher)registry.npmjs.org
- npmdefi-sdk-core on npm (1.0.0 still live, ethcompat publisher)registry.npmjs.org
- npmethers-compat on npm (1.0.0 still live, ethcompat publisher)registry.npmjs.org
- npmethereum-dev-utils on npm (1.0.0 still live, ethcompat publisher)registry.npmjs.org
- npmganach typosquat on npm (7.9.2 published 2024-11-01, still live)registry.npmjs.org
- npmsolidty typosquat on npm (0.0.1 published 2024-11-01, still live)registry.npmjs.org
- npmstelar-sdk typosquat on npm (12.3.0 published 2024-11-01, still live)registry.npmjs.org
- CryptikaMalicious npm campaign steals SSH keys, API tokens, cloud credentials and wallet secretscryptika.com
- GBHackersTyposquatted npm packages (Moralis / Coinbase / ethcompat coverage)gbhackers.com