Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer.
The package, @kodane/patch-manager, claims to offer “advanced license validation and registry optimization utilities for high-performance Node.js applications.” It was uploaded to npm by a user named “Kodane” on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads.
Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an “enhanced stealth wallet drainer.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at “sweeper-monitor-production.up.railway[.]app.”
“The script generates a unique machine ID code for the compromised host and shares that with the C2 server,” Paul McCarty, head of research at Safety, said, noting that the C2 server lists two compromised machines.
The malware is designed to scan the system for the presence of a wallet file, and if found, it proceeds to drain all funds from the wallet to a hard-coded wallet address on the Solana blockchain.
While this is not the first time cryptocurrency drainers have been identified in open-source repositories, what makes @kodane/patch-manager stand out are clues that suggest the use of Anthropic’s Claude AI chatbot to generate it.
This includes the presence of emojis, extensive JavaScript console logging messages, well-written and descriptive comments, the README.md markdown file written in a style that’s consistent with Claude-generated markdown files, and Claude’s pattern of calling code changes as “Enhanced.”
The discovery of the npm package highlights “how threat actors are leveraging AI to create more convincing and dangerous malware,” McCarty said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
You Are What You Eat: Why Your AI Security Tools Are Only as Strong as the Data You Feed Them