{
	"id": "a99af996-96c5-4a0d-9da2-290870c18a79",
	"created_at": "2026-04-06T00:08:53.668677Z",
	"updated_at": "2026-04-10T13:11:48.983953Z",
	"deleted_at": null,
	"sha1_hash": "a3b4a0585881a9d10a3517fb63ce21b2913d7a30",
	"title": "Malicious npm and PyPI Packages Disguised as Dev Tools to Steal Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 387198,
	"plain_text": "Malicious npm and PyPI Packages Disguised as Dev Tools to Steal\r\nCredentials\r\nBy Mandvi\r\nPublished: 2025-04-22 · Archived: 2026-04-05 18:12:16 UTC\r\nThe Socket Threat Research Team has identified a new supply chain threat targeting developers in the crypto\r\nspace: three malicious packages one on npm and two on PyPI masquerading as legitimate developer utilities while\r\ncovertly exfiltrating sensitive wallet credentials.\r\nThese packages, “react-native-scrollpageviewtest” (npm), “web3x” (PyPI), and “herewalletbot” (PyPI), have\r\ncollectively amassed nearly 8,000 downloads, exposing unsuspecting developers to significant asset loss by\r\nharvesting mnemonic seed phrases and private keys.\r\nOpen Source Registries Targeted by Credential-Harvesting Malware\r\nThe npm package “react-native-scrollpageviewtest,” first released in 2021, camouflages itself as a benign page-scrolling tool for React Native.\r\nInstead, it employs advanced obfuscation by dynamically constructing sensitive API names in memory, splitting\r\nrelevant strings to evade static detection, and encoding key controller references in Base64.\r\nOnce loaded, the package extracts mnemonic seed phrases and private keys from local wallet storage, prepends\r\neach exfiltrated secret with randomized data, and stealthily transmits them to a Google Analytics endpoint using\r\nstandard event telemetry formats.\r\nThis abuse of Google Analytics (Tracking ID UA-215070146-1) leverages the routine whitelisting of analytics\r\ndomains in enterprise environments, ensuring that the attacker’s exfiltration attempts blend in with normal\r\nnetwork traffic and evade conventional perimeter defenses.\r\nIn parallel, two PyPI packages “web3x” and “herewalletbot” exploit the trust of Python developers with similar\r\ncredential-stealing techniques.\r\n“web3x” presents as an Ethereum wallet balance checker but, upon execution, immediately prompts the user for a\r\nmnemonic seed phrase and relays it, along with wallet balances, to an attacker-controlled Telegram bot via the\r\nTelegram Bot API.\r\nThe exfiltration is near-instantaneous and silent, enabling rapid wallet compromise.\r\nThreat Actors Use Google Analytics and Telegram Bots for Exfiltration\r\nThe “herewalletbot” package, meanwhile, impersonates an automation tool for Telegram-based crypto rewards.\r\nhttps://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools\r\nPage 1 of 4\n\nIt scripts a headless browser session, guiding unsuspecting users through the Telegram login process and directly\r\nsoliciting their mnemonic seed phrase under the guise of a rewards claim.\r\nThis seed phrase is then exfiltrated into the chat window of a Telegram bot (@herewalletbot), giving the attacker\r\nfull control over the victim’s crypto assets.\r\nDespite apparent attempts by its author to conceal this functionality, including amending public documentation\r\nwhile retaining the malicious logic, the package continued to compromise credentials until publicly flagged.\r\nThe threat actors behind these campaigns demonstrate operational sophistication: leveraging social engineering,\r\nstring obfuscation, staged payload exfiltration, and nuanced detection evasion.\r\nTheir techniques such as Base64-encrypted API references, randomized exfiltration payloads, hardcoded bot\r\ntokens, and conditional execution to avoid developer or test environments underscore a sharp focus on persistence\r\nand stealth.\r\nThe persistence of these packages on public registries underscores a critical risk: open-source ecosystems remain a\r\nhigh-value vector for supply chain compromise.\r\nDevelopers who inadvertently install such modules risk catastrophic loss, particularly in the context of\r\ncryptocurrency, where stolen mnemonics and private keys enable irreversible asset transfers.\r\nSecurity experts urge developers to remain vigilant: never enter or transmit seed phrases or private keys to any\r\nutility, script, or package.\r\nTools that request such credentials especially within automation, wallet management, or browser integration\r\ncontexts should be treated with extreme suspicion.\r\nOrganizations should adopt proactive measures, including automated dependency scanning, runtime monitoring,\r\nand strict code review, especially for packages related to Web3, authentication, or browser automation.\r\nAccording to the Report, Socket and similar platforms provide essential tooling to proactively analyze\r\ndependencies and block threats before code reaches production.\r\nDevelopers are advised to utilize these resources and consistently apply the security principle of explicit trust,\r\nparticularly when handling high-value credentials within open-source pipelines.\r\nIndicators of Compromise (IOC)\r\nType Indicator / Value Description\r\nPackage react-native-scrollpageviewtest\r\nMalicious npm\r\npackage\r\nPackage web3x\r\nMalicious PyPI\r\npackage\r\nhttps://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools\r\nPage 2 of 4\n\nType Indicator / Value Description\r\nPackage herewalletbot\r\nMalicious PyPI\r\npackage\r\nEndpoint @herewalletbot\r\nTelegram bot for\r\nexfiltration\r\nEndpoint hxxps://web[.]telegram[.]org/k/#@herewalletbot\r\nTelegram bot phishing\r\nURL\r\nToken\r\n5847347125:AAG-WskaS485OUlGLfa5AKEMW1aKYymplPQTelegram bot token\r\n(web3x)\r\nEmail twoplusten@163[.]com\r\nnpm threat actor email\r\n(twoplus)\r\nEmail xeallmail@mitico[.]org\r\nPyPI threat actor\r\nemail (tonymevbots)\r\nEmail bevansatria@gmail[.]com\r\nPyPI threat actor\r\nemail (vannszs)\r\nAlias twoplus npm threat actor alias\r\nAlias tonymevbots PyPI threat actor alias\r\nAlias vannszs\r\nPyPI/GitHub threat\r\nactor alias\r\nGitHub https://github.com/vannszs/HotWalletBot/\r\nRelated malicious\r\nrepo (defunct)\r\nGoogle\r\nAnalytics\r\nUA-215070146-1\r\nUsed for exfiltration\r\nby npm package\r\nFind this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates\r\nhttps://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools\r\nPage 3 of 4\n\nMandvi\r\nMandvi is a Security Reporter covering data breaches, malware, cyberattacks, data leaks, and more at Cyber Press.\r\nSource: https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools\r\nhttps://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools"
	],
	"report_names": [
		"malicious-npm-and-pypi-packages-disguised-as-dev-tools"
	],
	"threat_actors": [],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3b4a0585881a9d10a3517fb63ce21b2913d7a30.pdf",
		"text": "https://archive.orkl.eu/a3b4a0585881a9d10a3517fb63ce21b2913d7a30.txt",
		"img": "https://archive.orkl.eu/a3b4a0585881a9d10a3517fb63ce21b2913d7a30.jpg"
	}
}