On July 28, 2025, a malicious npm package named @kodane/patch-manager was flagged by cybersecurity researchers for deploying a cryptocurrency wallet drainer and likely generated using AI.
Disguised as a utility for license validation and registry optimization in Node.js apps, the package was downloaded over 1,500 times before being removed from the npm registry. Security firm Safety discovered that the package’s malicious behavior was embedded in a postinstall script, which executes automatically after installation even if the code itself is never run manually. This script deployed its payload into hidden directories across Windows, macOS, and Linux systems, connected to a C2 server, and scanned for local Solana wallets. If detected, it drained the funds to a hard-coded address.
What makes this incident stand out is strong evidence that the package may have been authored with help from Anthropic’s Claude AI. The code included emojis, verbose console messages, descriptive markdown documentation, and Claude’s characteristic use of the term “Enhanced.”
The case highlights a growing concern: AI-assisted malware in open-source ecosystems. As AI tools help attackers craft more polished and deceptive code, security teams must adapt their monitoring to detect not just known threats, but also AI-generated packages that appear legitimate.
Contact us: Finstein Cyber — Cybersecurity & VAPT Services
Source: https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html
#MaliciousPackage #NPMSecurity #OpenSourceThreats #CryptoDrainer #SolanaWallet #AIgeneratedMalware #ClaudeAI #SoftwareSupplyChain #PostInstallAttack #NodejsSecurity #CyberThreats #AIinCybercrime #CodeSecurity #HiddenPayload #CrossPlatformMalware #SupplyChainAttack #SecurityAlert #MalwareDetection #OpenSourceSecurity #ThreatIntelligence
