Experts from the company Safety discovered a malicious package in npm, generated using AI, which concealed malware designed to steal cryptocurrency wallet data.
A package named @kodane/patch-manager allegedly offered “advanced license verification tools and registry optimization for high-performance Node.js applications.” It was uploaded to npm by a user with the nickname Kodane on July 28, 2025. Currently, the package has been removed from the registry, but before its removal, it was downloaded more than 1,500 times.
Researchers note that the malicious functions of the package were listed directly in its source code: the component for stealing cryptocurrency was called an “enhanced stealth wallet drainer.”
The attack was carried out through a postinstall script that was triggered upon the package installation. The script stored the payload in hidden directories on Windows, Linux, and macOS, then generated an ID for the infected machine and connected to a command-and-control server at sweeper-monitor-production.up.railway[.]app. At the time of analysis, this server displayed only two infected devices.
After infection, the malware scans the system for cryptocurrency wallet files, and if it finds them, it transfers all the funds to a hard-coded address in the Solana blockchain. It is assumed that most of the transactions associated with this wallet are obtained from compromised wallets of users who installed the malicious package.
While malware designed to steal cryptocurrency has been discovered in open source repositories multiple times before, @kodane/patch-manager stands out because, according to researchers, it was generated using the Claude chatbot from Anthropic. Researchers list the following evidence for this claim:
- use of emojis;
- numerous console log messages typical for JavaScript;
- well-written descriptive comments in the code;
- a README.md file written in a style characteristic of Claude;
- a tendency to refer to code changes with the word “Enhanced.”
According to experts, this incident demonstrates that attackers are using AI to create increasingly sophisticated and dangerous malware.