crypto-wallet - TrustStrike Labs

threat

2026-04-24

Kaspersky finds 26 'FakeWallet' apps on Apple's App Store impersonating MetaMask, Coinbase, Trust Wallet, and Ledger to steal crypto seed phrases

Kaspersky identified 26 malicious iOS apps live on the Apple App Store impersonating major cryptocurrency wallets including MetaMask, Coinbase, Trust Wallet, Ledger, TokenPocket, imToken, Bitpie, and OneKey. The campaign, named FakeWallet and linked to the SparkKitty operation, has been running since fall 2025. The apps used typosquatted names, cloned icons, and stub functionality (games, calculators, task planners) to pass App Store review. Some embed compromised viewDidLoad routines that scan the screen for mnemonic words as the user types and exfiltrate seed phrases via RSA-encrypted payloads. Apple removed 25 of the 26 after disclosure; the developer behind the 26th was terminated.

fakewallet sparkkitty ios app-store crypto-wallet seed-phrase metamask ledger kaspersky

Check: Audit wallet apps installed on any iOS device that holds crypto credentials - your own and team members' devices used for treasury, payroll, vendor payments, or personal investing.
Affected: iOS users who downloaded any of the 26 FakeWallet apps between fall 2025 and the April 2026 takedowns, particularly those with Apple account region set to China. Anyone who entered a seed phrase must assume their wallet is compromised. Cold wallet users are not exempt - some variants embedded into companion apps.
Fix: Review every App Store download under any region, particularly wallet or crypto apps. Cross-check developer names against official wallet websites (MetaMask is ConsenSys, Trust Wallet is DApps Platform Inc., Ledger is Ledger SAS). Any wallet app that asks for your seed phrase is a thief. If exposed, transfer assets to a fresh wallet on known-clean hardware and treat the old seed as burned.

threat

2026-04-22

Self-propagating npm worm hits Namastex Labs packages, steals secrets across npm, PyPI, and crypto wallets

A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.

npm pypi supply-chain worm namastex-labs infostealer crypto-wallet teampcp self-propagating

Check: Search your package-lock and yarn.lock files and private registry caches for any of the listed Namastex Labs versions, and then rotate every credential that has ever been present on a machine that installed them.
Affected: Confirmed malicious versions per Socket: @automagik/genie 4.260421.33 through 4.260421.39; pgserve 1.1.11 through 1.1.13; @fairwords/websocket 1.0.38 through 1.0.39; @fairwords/loopback-connector-es 1.4.3 through 1.4.4; @openwebconcept/theme-owc 1.0.3; @openwebconcept/design-tokens 1.0.3. Any additional npm package republished by an account whose publish token was exfiltrated by this worm is also potentially malicious.
Fix: Remove the listed versions from development environments, CI/CD runners, and private mirrors immediately. Rotate every secret the worm would have seen: npm publish tokens, PyPI tokens, cloud provider keys, CI/CD deploy keys, SSH keys, LLM platform API keys, container registry credentials, and any crypto wallet seeds stored in browser extensions on affected machines. Audit your package caches and internal mirrors for related packages that share the same public.pem file, webhook host, or postinstall pattern (Socket publishes IoCs for this). Pin production dependencies to known-good versions with integrity hashes and deny the newest versions of the affected packages in your package firewall until forensics is complete.