Article Details

AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown. Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performance Node.js applications." It was uploaded to npm by a user named "Kodane" on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads. Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an "enhanced stealth wallet drainer." Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at "sweeper-monitor-production.up.railway[.]app." "The script generates a unique machine ID code for the compromised host and shares that with the C2 server," Paul McCarty, head of research at Safety, said, noting that the C2 server lists two compromised machines. The malware is designed to scan the system for the presence of a wallet file, and if found, it proceeds to drain all funds from the wallet to a hard-coded wallet address on the Solana blockchain. While this is not the first time cryptocurrency drainers have been identified in open-source repositories, what makes @kodane/patch-manager stand out are clues that suggest the use of Anthropic's Claude AI chatbot to generate it. This includes the presence of emojis, extensive JavaScript console logging messages, well-written and descriptive comments, the README.md markdown file written in a style that's consistent with Claude-generated markdown files, and Claude's pattern of calling code changes as "Enhanced." The discovery of the npm package highlights "how threat actors are leveraging AI to create more convincing and dangerous malware," McCarty said.