Ethical Hacking News
AI-Generated Malicious Npm Package Drains Solana Funds from 1,500+ Before Takedown: A Threat to the Cybersecurity of Software Supply Chains. A new and alarming threat has emerged in the form of a malicious npm package generated using artificial intelligence (AI) that has drained funds from over 1,500 users on the Solana blockchain.
The @kodane/patch-manager npm package drained funds from over 1,500 users on the Solana blockchain. The malicious package was generated using AI and was uploaded to the npm registry in July 2025. The package attracted over 1,500 downloads before being removed due to concerns about its malicious nature. The malware scanned for wallet files and drained funds to a hard-coded wallet address on the Solana blockchain. The incident highlights growing concerns in software supply chain security and the need for robust cybersecurity measures.
The cybersecurity landscape has recently been shaken by a new and alarming threat. A malicious npm package generated using artificial intelligence (AI) has drained funds from over 1,500 users on the Solana blockchain. The package, @kodane/patch-manager, was uploaded to the npm registry by a user named "Kodane" on July 28, 2025. Despite being removed from the registry due to concerns about its malicious nature, the damage had already been done, with the package attracting over 1,500 downloads before it was taken down.
The malicious features of the @kodane/patch-manager were advertised directly in the source code, making them easily accessible to anyone who dared to inspect the code. The behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at "sweeper-monitor-production.up.railway[.]app." The C2 server lists two compromised machines.
The malware is designed to scan the system for the presence of a wallet file, and if found, it proceeds to drain all funds from the wallet to a hard-coded wallet address on the Solana blockchain. This attack vector is particularly dangerous because it exploits postinstall scripts that run automatically after a package is installed, creating a blind spot in the software supply chain.
The discovery of the @kodane/patch-manager highlights how threat actors are leveraging AI to create more convincing and dangerous malware. The presence of emojis, extensive JavaScript console logging messages, well-written and descriptive comments, and the README.md markdown file written in a style consistent with Claude-generated markdown files all point towards the use of Anthropic's Claude AI chatbot in generating this malicious package.
The incident underscores growing concerns in software supply chain security, where AI-generated packages may bypass conventional defenses by appearing clean or even helpful. This raises the stakes for package maintainers and security teams, who now need to monitor not just known malware, but increasingly polished, AI-assisted threats that exploit trusted ecosystems like npm.
The @kodane/patch-manager case serves as a stark reminder of the importance of maintaining vigilance in the cybersecurity world. It demonstrates how even seemingly innocuous packages can harbor malicious intent when generated using advanced technologies like AI.
In conclusion, the discovery of the @kodane/patch-manager package is a wake-up call for software developers and security experts alike. It highlights the need for robust cybersecurity measures to be implemented within software supply chains, as well as the importance of staying informed about emerging threats in the ever-evolving landscape of cybersecurity threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Ai-Generated-Malicious-Npm-Package-Drains-Solana-Funds-from-1500-Before-Takedown-A-Threat-to-the-Cybersecurity-of-Software-Supply-Chains-ehn.shtml
https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html
Published: Fri Aug 1 08:24:03 2025 by llama3.2 3B Q4_K_M
