Introduction

Cybersecurity researchers have uncovered a series of malicious npm packages specifically targeting Ethereum wallet developers. These packages are designed to harvest private keys and enable unauthorized remote access to compromised systems through an SSH backdoor.

Description

Cybersecurity researchers have identified several malicious npm packages targeting Ethereum wallet developers [2], designed to harvest private keys and gain unauthorized remote access to compromised systems via an SSH backdoor. These trojanized packages [2], which disguise themselves as the legitimate ethers library, include ethers-mew [1], ethers-web3 [1] [2] [3] [4], ethers-6 [1] [2] [3] [4] [5], ethers-eth [1] [3] [4], ethers-aaa [1], ethers-audit [1], and ethers-test [1] [3], with download counts of 62, 110, 56, 58, 781, 69, and 336, respectively. The most dangerous among them, ethers-mew [1] [2] [3] [4], is particularly notable for its ability to modify the /root/.ssh/authorized_keys file, inserting the attacker’s SSH public key and thereby enabling persistent access to the victim’s machine.

This attack requires developers to actively incorporate the malicious packages into their code to create a new Wallet instance, making it less detectable compared to typical supply chain attacks [2]. The attackers have also registered a domain, ether-sign.com [3], to facilitate the exfiltration of private keys [3], employing various techniques such as credential dumping and SSH hijacking. The complexity of the attack involves multiple layers of code indirection [3], ultimately leading to the compromise of the victim’s machine [3].

The attackers behind this campaign have been linked to accounts named “crstianokavic” and “timyorks,” who published the malicious packages [5]. This incident underscores the persistent threats posed by supply chain vulnerabilities in the cryptocurrency sector [2], highlighting the need for developers to carefully vet open-source packages and verify their sources to avoid similar exploits [2]. Following the discovery, the malicious packages were swiftly removed [5], likely by the attackers themselves [5], further emphasizing the urgency of vigilance within the developer community.

Conclusion

This incident highlights the critical need for heightened security measures in the cryptocurrency sector, particularly concerning supply chain vulnerabilities. Developers must rigorously vet open-source packages and verify their authenticity to prevent similar exploits [2]. The swift removal of these malicious packages underscores the importance of ongoing vigilance and proactive security practices to mitigate future threats.

References

[1] https://thehackernews.com/2024/10/malicious-npm-packages-target.html
[2] https://cybermaterial.com/malicious-npm-packages-target-crypto-wallets/
[3] https://www.hendryadrian.com/trojanized-ethers-forks-on-npm-targeting-ethereum-private-key-theft-phylum/
[4] https://vulners.com/thn/THN:63445B5259454C025AC257AB65F7D5B4
[5] https://thenimblenerd.com/article/beware-sneaky-npm-packages-target-ethereum-keys-and-ssh-access/