JFrog found a two-part npm cryptocurrency stealer that paired a benign-looking Ethereum address validation package with a malicious transitive dependency. The visible package exported ordinary address-checking functions, but dynamically imported aes-core-valid-ipherv, whose hidden code attempted to read local secret-bearing files such as .env and keys/data.json. The payload sent stolen file contents to an attacker-controlled HTTP endpoint at 45[.]8[.]22[.]52:5051/api/core-tech. The split bait-and-payload design reduced scrutiny by placing the malicious behavior in a dependency reviewers might not inspect.