Executive Summary
Socket disclosed five npm typosquats targeting cryptocurrency and DeFi developers on March 24, 2026 Socket opens in a new tab. The packages were published by npm account galedonovan: raydium-bs58, base-x-64, bs58-basic, ethersproject-wallet, and base_xd. Current npm metadata shows that the malicious publication window began in November 2025, not on the disclosure date. Four package records were replaced with 0.0.1-security placeholders on April 1, 2026; base_xd@0.0.5 had been unpublished five minutes after publication in November 2025 npm opens in a new tab.
When a targeted decode function or wallet constructor ran under Node.js 18 or later, the packages attempted to send private-key material to a hardcoded Telegram Bot API endpoint. Treat installation as exposure, but distinguish installation from confirmed key exfiltration: Socket reports that the payload uses global fetch(), so on older Node.js releases it throws a caught ReferenceError and does not transmit Socket opens in a new tab.