Cybercriminals are leveraging artificial intelligence to develop a harmful NPM package that can deplete your cryptocurrency wallet.

Cybercriminals have significantly advanced their attack strategies by utilising artificial intelligence to develop a malicious NPM package that disguises itself as a legitimate development tool while covertly draining cryptocurrency wallets. The package, named @Kodane/Patch-Manager, claims to be an “NPM Registry Cache Manager” that offers features like licence validation and registry optimisation. However, it conceals a sophisticated cryptocurrency wallet drainer specifically targeting Solana blockchain assets. This malware campaign highlights a concerning evolution in supply chain attacks, as threat actors exploit the trust that developers place in open-source packages. Released on July 28, 2025, the package garnered over 1,516 downloads across 17 versions within just two days before detection. The attacker, operating under the username “Kodane,” systematically updated the package to avoid detection while preserving its malicious functionality.

The discovery of this malware by GetSafety researchers underscores the increasing use of AI by threat actors to create convincing technical documentation and code comments that mask their malicious intent. The AI-generated nature of the malware is evident through various characteristics that differentiate machine-generated code from human-written malware. The source code features excessive emojis, numerous console.log messages, and over-commented functions with professionally crafted English descriptions. These patterns are typical of output generated by AI coding assistants like Claude, particularly the consistent use of “Enhanced” prefixes and structured markdown documentation. Upon installation, the package executes a postinstall script that deploys malicious components across different operating systems. The malware strategically installs itself in hidden directories that mimic legitimate cache folders, making detection difficult. A persistent background daemon, connection-pool.js, establishes communication with a command-and-control server, indicating ongoing operations with multiple successful wallet sweeps.