Particle.news

Download on the App Store

Researchers Remove AI-Generated npm Wallet Drainer, Publish IoCs

Security experts released indicators of compromise, tightening supply chain defenses against AI-generated threats.

Image
Image

Overview

  • Researchers removed the @kodane/patch-manager package from npm to halt downloads after uncovering its malicious postinstall behavior.
  • The drainer established connections to an open command-and-control server at sweeper-monitor-production.up.railway.app to log machine IDs and coordinate thefts.
  • Malware scanned for Solana wallet files across Windows, macOS and Linux environments, siphoning all funds to a hard-coded blockchain address while leaving enough to cover transaction fees.
  • Analysts identified AI fingerprints in the code—such as emojis, extensive console logs and “Enhanced” file naming—that align with patterns from Anthropic’s Claude model.
  • Indicators of compromise have been published to aid detection, and security teams are reinforcing dependency monitoring and runtime inspection to counter similar AI-assisted supply chain attacks.