Aikido found the npm package web3-wrapper-ethers impersonating the legitimate ethers library while targeting Web3, blockchain, and cryptocurrency developers. The package copied ethers metadata and modified the Wallet constructor to exfiltrate private keys, first to a localhost test endpoint and later to an encrypted destination that decoded to the malformed URL hxxp:/74.119.194[.]244/fetch. Multiple versions were released in one day, showing development-stage changes such as adding node-fetch, removing comments, and stripping debug logging while leaving the broken URL in place. Aikido notes that the IP overlaps Trend Micro indicators for Void Dokkaebi/DPRK-aligned activity, making the package relevant to North Korean cryptocurrency theft tracking even though the exfiltration URL appeared nonfunctional.