05.09.2025
2 min
584
Researchers have discovered four new malicious libraries in the npm registry disguised as legitimate Flashbots tools. They are designed to steal private keys and mnemonics of Ethereum developers and then transfer the data to the attackers’ Telegram bot.
The packages were downloaded by a user under the nickname *flashbotts*, the first of which appeared in September 2023, and the last in August 2025. The most dangerous of them — @flashbotts/ethers-provider-bundle — disguised as the Flashbots SDK had hidden functions to steal environment variables via SMTP and redirect unverified transactions to the attacker’s wallet.
Other packages (**flashbot-sdk-eth, sdk-ethers, gram-utilz**) also contained hidden capabilities to steal mnemonic phrases and private keys while transmitting data to Telegram. What is particularly dangerous is that the code appeared mostly legitimate, making it difficult to detect malicious functions.
Comments in the source code indicate that the attacker may be Vietnamese-speaking and was motivated by financial motives.
Flashbots is one of the key players in combating the negative effects of MEV (Maximal Extractable Value) on the Ethereum network, such as “sandwich attacks” or “frontrunning”. The popularity of the brand creates ideal conditions for attacks on the software supply chain: developers and validators are easily led to packages with a well-known name.
According to Socket researchers, a compromise of a private key in this area can instantly lead to an irreversible loss of funds, since all transactions in Ethereum are irreversible.
The incident with fake libraries proves once again that trusting familiar names in package managers can turn into a disaster. Developers should check the sources of libraries and monitor the official channels of Flashbots to avoid using infected dependencies.
