Kai Ole Hartwig — Blog
14 min read
High
By

Six packages, one cluster, one message: the EVM/DeFi npm wave of 6 May 2026

Four days after the node-env-resolve RAT, the second wave followed: on 6 May 2026 six malicious npm packages appeared for the Ethereum, Hardhat, and Foundry world. Same code, different mask, different ecosystem — and a simple lesson for every build pipeline.

What has changed? Six npm packages with an identical payload, opened via EVM/Hardhat/Foundry tooling names, activated only on require() in a real Ethereum workstation. Who is affected? Web3-leaning German Mittelstand companies, frontend agencies with weak npm lockfile hygiene, AI agent operators with dynamic tool loaders. What should you read today? Mirror allowlist, token inventory, MCP tool audit — in that order.

Sechs nahezu identische Kraftpapier-Umschläge mit Wachssiegeln auf Beton in präziser Anordnung; einer ist seitlich geöffnet, ein dünner roter Faden zieht still zu einem leeren ledernen Wallet; daneben Messinglupe und Messingschlüssel im kühlen Nordlicht.