Cybersecurity researchers discovered several malicious packages in the npm registry that were found to mimic the Hardhat Nomic Foundation tool in order to steal sensitive data from developer systems.
“By exploiting trust in open source plugins, attackers infiltrated these platforms via malicious npm packages, stealing important data such as private keys, mnemonics, and configuration details,” Socket Research Group said in the analysis.
today is an Ethereum software development environment that contains various components for editing, compiling, debugging, and deploying smart contracts and decentralized applications (dApps).
The list of detected fake packages is as follows –
- nomic society
- @nomisfoundation/hardconfigure
- installed package publish
- @nomisfoundation/hard-config
- @monicfoundation/hardhat-config
- @nomicsfoundation/sdk-test
- @nomicsfoundation/hardware-config
- @nomicsfoundation/web3-sdk
- @nomicsfoundation/sdk-test1
- @nomicfoundations/hardhat-config
- crypto-nodes-validator
- solana-validator
- validator nodes
- hardhat-deploy-others
- hardhat-gas-optimizer
- integrity-comments-extractors
From these packages, @nomicsfoundation/sdk-test attracted 1092 downloads. It was published over a year ago, in October 2023. Once installed, they are designed to collect mnemonic phrases and private keys from the Hardhat environment, after which they end up on a server controlled by the attacker.
“The attack starts when compromised packages are installed. These packages exploit the Hardhat runtime, using functions such as hreInit() and hreConfig() to collect sensitive details such as private keys, mnemonics, and configuration files,” the company said.
“Harvested data is transmitted to attacker-controlled endpoints using hard-coded Ethereum keys and addresses for optimized hijacking.”
The disclosure comes days after the discovery of another malicious npm package called ethereumvulncontracthandler which masquerades as a library for detecting vulnerabilities in Ethereum smart contracts, but instead contains functionality to remove the Quasar RAT malware.
There have also been malicious npm packages in recent months is observed using Ethereum smart contracts to distribute Command and Control (C2) server addresses, co-opting infected machines into the MisakaNetwork botnet, which runs on the blockchain. The campaign was traced to a Russian-speaking threat actor named “_lain”.
“The threat actor points to the inherent complexity of the npm ecosystem, where packages often rely on numerous dependencies, creating a complex nesting box structure,” – Socket said.
“This chain of dependencies makes comprehensive security checks difficult and opens up opportunities for attackers to inject malicious code. _lain admits to exploiting this complexity and sprawl of dependencies in npm ecosystems, knowing that it is impractical for developers to scrutinize every package and dependency.”
That’s not all. A set of fake libraries in the npm, PyPI, and RubyGems ecosystems have been discovered that use out-of-band application security testing (OAST) tools such as oastify.com and oast.fun to transmit sensitive data to attacker-controlled servers.
The package names are as follows –
- adobe-dcapi-web (npm), which avoids the threat to Windows, Linux, and macOS endpoints located in Russia and provides the ability to collect system information
- monoliht (PyPI), which collects system metadata
- chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems), which contain embedded scripts designed to forward sensitive information via DNS queries to the oastify.com endpoint
Kirill Boychenko, Socket researcher said. “Originally designed to detect vulnerabilities in web applications, OAST techniques are increasingly being used to steal data, establish command-and-control (C2) channels, and perform multi-stage attacks.”
To reduce the supply chain risks associated with such packages, software developers are encouraged to validate packages, use care when entering package names, and check the source code before installation.
