Supply Chain Key Theft in npm: How 5 Typosquatted Packages Silently Drain Solana and Ethereum Wallets — And a 7-Step Defense Playbook

TL;DR On March 24, 2026, Socket's Threat Research Team disclosed five malicious npm packages — raydium-bs58, base-x-64, base_xd, bs58-basic, and ethersproject-wallet — all published under the account galedonovan. Each package typosquats a legitimate crypto library, hooks the exact function where developers pass private keys, and silently exfiltrates them to a Telegram bot before returning the expected result. No errors. No side effects. Your code works perfectly while your keys vanish. This article breaks down exactly how the attack works, why traditional security tooling misses it, and a concrete 7-step defense playbook every Solana and Ethereum developer should implement today. The Attack: Invisible Key Interception Solana Side (4 packages) Four packages — raydium-bs58, base-x-64, bs58-basic, and base_xd — target Solana developers by intercepting Base58.decode() calls. This is the standard pattern for loading a keypair: // This looks normal, but if bs58 is a typosquat... const keypai