2 Sources
[1]
Emoji use suggests crypto-stealing NPM package was AI-made
Kodane code was either machine-generated or done by a teenager An NPM package packed with cryptocurrency-stealing malware appears to have been largely AI-generated, as evidenced by its liberal use of emojis and other telltale signs. Security shop Safety found the Kodane attack code in an npm module masquerading as "NPM Registry Cache Manager," which claimed to offer "license validation and registry optimization" for Node.js apps. But when they dug into it, the source code made very clear what the actual purpose of the software was - in the markdown docs it calls itself Enhanced Stealth Wallet Drainer and, when activated, will empty any cryptocurrency wallet it can find in Windows, macOS, and Linux systems, and send the currency to an address on the Solana blockchain. Judging from the transaction details, the criminal behind the code has had a lot of success, as you can see from the list of successful transactions below. It's a cunning piece of malware, taking most of the money out of any crypto wallet it finds but leaving enough in there to cover the transaction fees when the main loot is removed. In all, 19 packages of the code were spammed out over the space of two days. Although Kodane is the Japanese word for child, the UTC +5 malware upload time suggests the operator could be based in Russia or Central Asia. "The documentation included in the package is professionally written and contains believable technical details, and avoids typical red flags that might alert developers," wrote Paul McCarty, Safety's head of research. "Similarly, the comments through the code are well written, in English, and describe the functions well. What might initially seem legitimate is actually evidence that the malware creator probably used AI to generate convincing technical documentation that disguises the true purpose of the code." A more detailed breakdown of the code gives even further indication that AI was used to write large chunks of it. One key giveaway is the use of emojis - something no serious developer really does. "For some reason code generating AI platforms love to put emojis in source code. No developer that I know does this, unless they are 14," McCarty opined. "Claude, however, does this every time I use it. It's obsessed with emojis, I swear." There are other signs that look like the fingerprints of the Claude model. For example, the code contains a number of markdown files that are formatted in the way the AI engine likes to do it, and makes frequent use of the word "Enhanced," which is another Claude habit. There are also a lot of comments included in the code, and McCarty points out that they are well written - "totally unlike real comments made by humans," he explained. It also has a lot of messages in console.log, another favorite habit for AI-generated code that human developers tend to keep to a minimum. Someone uploaded the malware on July 28, and security teams flagged it as malicious about two days later. All versions have now been removed, but McCarty said that more than 1,500 downloads had occurred, although Safety didn't say from how many individual IP addresses. ®
[2]
AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown
Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer "advanced license validation and registry optimization utilities for high-performance Node.js applications." It was uploaded to npm by a user named "Kodane" on July 28, 2025. The package is no longer available for download from the registry, but not before it attracted over 1,500 downloads. Software supply chain security company Safety, which discovered the library, said the malicious features are advertised directly in the source code, calling it an "enhanced stealth wallet drainer." Specifically, the behavior is triggered as part of a postinstall script that drops its payload within hidden directories across Windows, Linux, and macOS systems, and then proceeds to connect to a command-and-control (C2) server at "sweeper-monitor-production.up.railway[.]app." "The script generates a unique machine ID code for the compromised host and shares that with the C2 server," Paul McCarty, head of research at Safety, said, noting that the C2 server lists two compromised machines. In the npm ecosystem, postinstall scripts are often overlooked attack vectors -- they run automatically after a package is installed, meaning users can be compromised without ever executing the package manually. This creates a dangerous blind spot, especially in CI/CD environments where dependencies are updated routinely without direct human review. The malware is designed to scan the system for the presence of a wallet file, and if found, it proceeds to drain all funds from the wallet to a hard-coded wallet address on the Solana blockchain. While this is not the first time cryptocurrency drainers have been identified in open-source repositories, what makes @kodane/patch-manager stand out are clues that suggest the use of Anthropic's Claude AI chatbot to generate it. This includes the presence of emojis, extensive JavaScript console logging messages, well-written and descriptive comments, the README.md markdown file written in a style that's consistent with Claude-generated markdown files, and Claude's pattern of calling code changes as "Enhanced." The discovery of the npm package highlights "how threat actors are leveraging AI to create more convincing and dangerous malware," McCarty said. The incident also underlines growing concerns in software supply chain security, where AI-generated packages may bypass conventional defenses by appearing clean or even helpful. This raises the stakes for package maintainers and security teams, who now need to monitor not just known malware, but increasingly polished, AI-assisted threats that exploit trusted ecosystems like npm.
Share
Copy Link
A malicious npm package, likely created using AI, has been discovered stealing cryptocurrency from users' wallets. The package, masquerading as a legitimate tool, highlights the growing threat of AI-assisted malware in software supply chains.
In a concerning development at the intersection of artificial intelligence and cybersecurity, researchers have uncovered a malicious npm package that appears to have been generated using AI. The package, named "@kodane/patch-manager," was designed to drain cryptocurrency wallets and managed to attract over 1,500 downloads before being taken down 1.
Source: The Hacker News
The malicious package masqueraded as a legitimate tool, claiming to offer "license validation and registry optimization" for Node.js applications. However, upon closer inspection, security researchers from Safety discovered its true nature as an "Enhanced Stealth Wallet Drainer" 2.
The malware's functionality is particularly cunning. It targets cryptocurrency wallets on Windows, macOS, and Linux systems, draining funds to a predefined address on the Solana blockchain. Interestingly, it leaves enough currency in the wallet to cover transaction fees, potentially delaying detection 1.
What sets this malware apart is the strong indication that it was generated using AI, specifically Anthropic's Claude model. Paul McCarty, Safety's head of research, pointed out several telltale signs:
Source: The Register
McCarty noted, "For some reason code generating AI platforms love to put emojis in source code. No developer that I know does this, unless they are 14" 1.
The discovery of this AI-generated malware raises significant concerns about software supply chain security. The package's professional appearance and well-written documentation could easily deceive developers and bypass conventional security measures 2.
Of particular concern is the use of postinstall scripts, which run automatically after a package is installed. This creates a dangerous blind spot, especially in CI/CD environments where dependencies are updated routinely without direct human review 2.
The malicious package was uploaded on July 28, 2025, and flagged as malicious about two days later. In that short time, it managed to attract over 1,500 downloads. While all versions have now been removed, the actual impact remains unclear as the number of unique IP addresses that downloaded the package is unknown 12.
This incident highlights the growing threat of AI-assisted malware creation. As AI tools become more sophisticated and accessible, cybercriminals can potentially create more convincing and dangerous malware that can evade traditional detection methods 2.
The cybersecurity community now faces the challenge of not only monitoring for known malware but also developing strategies to detect and mitigate increasingly polished, AI-assisted threats that exploit trusted ecosystems like npm 2.
Summarized by
Navi
[1]
Anthropic has cut off OpenAI's API access to its Claude AI models, citing violations of terms of service. The move comes as OpenAI prepares to launch GPT-5, highlighting growing competition in the AI industry.
5 Sources
Technology
12 hrs ago
5 Sources
Technology
12 hrs ago
Major tech companies are investing unprecedented amounts in AI infrastructure, with combined spending expected to reach $344 billion in 2025. This massive expenditure reflects the intense competition and fear of missing out in the rapidly evolving AI landscape.
3 Sources
Business and Economy
20 hrs ago
3 Sources
Business and Economy
20 hrs ago
Microsoft co-founder Bill Gates expresses surprise at AI's rapid advancement and discusses its potential to replace human workers, highlighting the uncertainty surrounding the timeline for this transition.
2 Sources
Technology
12 hrs ago
2 Sources
Technology
12 hrs ago
AI startups are experiencing unprecedented growth with record-breaking investments and strategic acquisitions, signaling a robust market despite economic uncertainties.
2 Sources
Startups
12 hrs ago
2 Sources
Startups
12 hrs ago
Researchers at NJIT use AI to identify five promising materials for multivalent-ion batteries, potentially revolutionizing energy storage technology and offering a sustainable alternative to lithium-ion batteries.
2 Sources
Science and Research
12 hrs ago
2 Sources
Science and Research
12 hrs ago