Rampant emoji use suggests crypto-stealing NPM package was written by AI
(2025/08/01)
- Reference: 1754082074
- News link: https://www.theregister.co.uk/2025/08/01/emoji_use_ai_malware/
- Source link:
An NPM package packed with cryptocurrency-stealing malware appears to have been largely AI-generated, as evidenced by its liberal use of emojis and other telltale signs.
Security shop Safety found the Kodane attack code in an npm module masquerading as "NPM Registry Cache Manager," which claimed to offer "license validation and registry optimization" for Node.js apps. But when they dug into it, the source code made very clear what the actual purpose of the software was - in the markdown docs it calls itself Enhanced Stealth Wallet Drainer and, when activated, will empty any cryptocurrency wallet it can find in Windows, macOS, and Linux systems, and send the currency to an address on the Solana blockchain.
Judging from the transaction details, the criminal behind the code has had a lot of success, as you can see from the list of successful transactions below.
[1]
The wages of sin are quite good it seems - Click to enlarge
It's a cunning piece of malware, taking most of the money out of any crypto wallet it finds but leaving enough in there to cover the transaction fees when the main loot is removed. In all, 19 packages of the code were spammed out over the space of two days. Although Kodane is the Japanese word for child, the UTC +5 malware upload time suggests the operator could be based in Russia or Central Asia.
"The documentation included in the package is professionally written and contains believable technical details, and avoids typical red flags that might alert developers," [2]wrote Paul McCarty, Safety's head of research.
[3]
"Similarly, the comments through the code are well written, in English, and describe the functions well. What might initially seem legitimate is actually evidence that the malware creator probably used AI to generate convincing technical documentation that disguises the true purpose of the code."
[4]Ripple NPM supply chain attack hunts for private keys
[5]North Korea targets crypto developers via NPM supply chain attack
[6]AI code helpers just can't stop inventing package names
[7]AI hallucinates software packages and devs download them – even if potentially poisoned with malware
A more detailed breakdown of the code gives even further indication that AI was used to write large chunks of it. One key giveaway is the use of emojis - something no serious developer really does.
"For some reason code generating AI platforms love to put emojis in source code. No developer that I know does this, unless they are 14," McCarty opined. "Claude, however, does this every time I use it. It's obsessed with emojis, I swear."
[8]
There are other signs that look like the fingerprints of the Claude model. For example, the code contains a number of markdown files that are formatted in the way the AI engine likes to do it, and makes frequent use of the word "Enhanced," which is another Claude habit.
There are also a lot of comments included in the code, and McCarty points out that they are well written - "totally unlike real comments made by humans," he explained. It also has a lot of messages in console.log, another favorite habit for AI-generated code that human developers tend to keep to a minimum.
[9]
Someone uploaded the malware on July 28, and security teams flagged it as malicious about two days later. All versions have now been removed, but McCarty said that more than 1,500 downloads had occurred, although Safety didn't say from how many individual IP addresses. ®
Get our [10]Tech Resources
[1] https://regmedia.co.uk/2025/08/01/kodane.jpg
[2] https://getsafety.com/blog-posts/threat-actor-uses-ai-to-create-a-better-crypto-wallet-drainer
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[5] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/
[6] https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
[7] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Security shop Safety found the Kodane attack code in an npm module masquerading as "NPM Registry Cache Manager," which claimed to offer "license validation and registry optimization" for Node.js apps. But when they dug into it, the source code made very clear what the actual purpose of the software was - in the markdown docs it calls itself Enhanced Stealth Wallet Drainer and, when activated, will empty any cryptocurrency wallet it can find in Windows, macOS, and Linux systems, and send the currency to an address on the Solana blockchain.
Judging from the transaction details, the criminal behind the code has had a lot of success, as you can see from the list of successful transactions below.
[1]
The wages of sin are quite good it seems - Click to enlarge
It's a cunning piece of malware, taking most of the money out of any crypto wallet it finds but leaving enough in there to cover the transaction fees when the main loot is removed. In all, 19 packages of the code were spammed out over the space of two days. Although Kodane is the Japanese word for child, the UTC +5 malware upload time suggests the operator could be based in Russia or Central Asia.
"The documentation included in the package is professionally written and contains believable technical details, and avoids typical red flags that might alert developers," [2]wrote Paul McCarty, Safety's head of research.
[3]
"Similarly, the comments through the code are well written, in English, and describe the functions well. What might initially seem legitimate is actually evidence that the malware creator probably used AI to generate convincing technical documentation that disguises the true purpose of the code."
[4]Ripple NPM supply chain attack hunts for private keys
[5]North Korea targets crypto developers via NPM supply chain attack
[6]AI code helpers just can't stop inventing package names
[7]AI hallucinates software packages and devs download them – even if potentially poisoned with malware
A more detailed breakdown of the code gives even further indication that AI was used to write large chunks of it. One key giveaway is the use of emojis - something no serious developer really does.
"For some reason code generating AI platforms love to put emojis in source code. No developer that I know does this, unless they are 14," McCarty opined. "Claude, however, does this every time I use it. It's obsessed with emojis, I swear."
[8]
There are other signs that look like the fingerprints of the Claude model. For example, the code contains a number of markdown files that are formatted in the way the AI engine likes to do it, and makes frequent use of the word "Enhanced," which is another Claude habit.
There are also a lot of comments included in the code, and McCarty points out that they are well written - "totally unlike real comments made by humans," he explained. It also has a lot of messages in console.log, another favorite habit for AI-generated code that human developers tend to keep to a minimum.
[9]
Someone uploaded the malware on July 28, and security teams flagged it as malicious about two days later. All versions have now been removed, but McCarty said that more than 1,500 downloads had occurred, although Safety didn't say from how many individual IP addresses. ®
Get our [10]Tech Resources
[1] https://regmedia.co.uk/2025/08/01/kodane.jpg
[2] https://getsafety.com/blog-posts/threat-actor-uses-ai-to-create-a-better-crypto-wallet-drainer
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2025/04/23/ripple_npm_supply_chain/
[5] https://www.theregister.com/2025/02/13/north_korea_npm_crypto/
[6] https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
[7] https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aI048yyOs7CxP-czG1G8kQAAANQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Hey!
Chris Gray 1
Hey! *I* write good comments. Usually. And no emojis - emacs doesn't support them, as far as I know. My phone has a billion of them, and most I have no clue what they are supposed to mean.
And it actually works?
the hawk
That’s a big news story in itself.
// The next (:-3 lines are :-) kinda, like, just totally bogus enhanced ;-0 dude