Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious AI-generated npm package hits Solana users

AI-generated npm package @kodane/patch-manager drained Solana wallets; 1,500+ downloads before takedown on July 28, 2025. AI-generated npm package @kodane/patch-manager was flagged for hiding malicious software to drain Solana wallets. The package was uploaded on July 28, 2025, and it was downloaded more than 1,500 times before takedown. “The package @kodane/patch-manager, is a sophisticated cryptocurrency wallet […]

npm package

AI-generated npm package @kodane/patch-manager drained Solana wallets; 1,500+ downloads before takedown on July 28, 2025.

AI-generated npm package @kodane/patch-manager was flagged for hiding malicious software to drain Solana wallets. The package was uploaded on July 28, 2025, and it was downloaded more than 1,500 times before takedown.

“The package @kodane/patch-manager, is a sophisticated cryptocurrency wallet drainer with multiple malicious functions.  The drainer is designed to steal funds from unsuspecting developers and their applications’ users.” reads the report published by cybersecurity firm Safety. “The package presents itself as an “NPM Registry Cache Manager” with seemingly legitimate functionality for “license validation and registry optimization.” But that’s all just. ashow.”

The malicious npm package uses a postinstall script to rename and hide files in disguised cache folders across macOS, Linux, and Windows. On Windows, it hides directories with attrib +H. It achieves persistence by running a background script (connection-pool.js) that connects to a live C2 server, sharing a unique machine ID and managing multiple infected hosts.

The open C2 server used by the malicious npm package logs wallet thefts without requiring authentication. Once a wallet is found, a second script (transaction-cache.js) drains funds, leaving just enough to cover fees. Stolen Solana is sent to a hardcoded address, showing high activity likely tied to over 1,500 infected users.

“It’s pretty rare that you get to see and play around with C2 infrastructure, but in this case the threat actor has left it open to the public.” continues the report.

npm package

The malicious npm package “@kodane/patch-manager” was published by user “Kodane,” who uploaded 19 versions in just two days starting July 28, 2025. While “Kodane” means “offspring” in Japanese, timestamps suggest a UTC+5 origin, possibly Russia, China, or India. The malware’s well-written documentation and descriptive code comments suggest it was likely AI-generated. Telltale signs include excessive console logs, emojis in code, structured markdown, and the repeated use of terms like “Enhanced”, patterns typical of AI tools like Claude.

“Whenever you point Claude at a source code file and tell it to add something, or modify it in some way,it names the new file “Enhanced <thing>” where “thing” is what it used to be named. To Claude, any time it touches code, it “enhances” it. Even when it deletes things it shouldn’t. It’s still “enhanced” to Claude.” states the report.

These clues point to the use of AI to disguise the malicious intent behind professional-looking code.

Malware developers are using AI because it helps them create more convincing, well-documented, and harder-to-detect code. AI can generate clean syntax, realistic comments, and professional-looking documentation, making malicious packages appear legitimate. This increases trust and download rates before detection and removal.

The researchers also published Indicators of Compromise (IOCs) for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, npm package)