Overview

• Researchers removed the @kodane/patch-manager package from npm to halt downloads after uncovering its malicious postinstall behavior.
• The drainer established connections to an open command-and-control server at sweeper-monitor-production.up.railway.app to log machine IDs and coordinate thefts.
• Malware scanned for Solana wallet files across Windows, macOS and Linux environments, siphoning all funds to a hard-coded blockchain address while leaving enough to cover transaction fees.
• Analysts identified AI fingerprints in the code—such as emojis, extensive console logs and “Enhanced” file naming—that align with patterns from Anthropic’s Claude model.
• Indicators of compromise have been published to aid detection, and security teams are reinforcing dependency monitoring and runtime inspection to counter similar AI-assisted supply chain attacks.