Analysis Summary

A number of malicious packages on the npm registry have been discovered by cybersecurity experts to mimic the Hardhat tool from the Nomic Foundation, which is used to steal confidential information from developer workstations.

The researchers said, “By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details.”

Hardhat is an Ethereum software development environment that includes several tools for modifying, building, debugging, and launching decentralized apps (dApps) and smart contracts. Among the counterfeit packages, 1,092 downloads have been made to @nomicsfoundation/sdk-test. It was released in October 2023, more than a year ago. After being installed, they are made to extract private keys and mnemonic phrases from the Hardhat environment, which they then exfiltrate to a server under the control of the attacker.

When compromised packages are installed, the attack starts. Through the use of functions like hreInit() and hreConfig(), these programs take advantage of the Hardhat runtime environment to gather private keys, mnemonics, and configuration files, among other sensitive information. Using Ethereum addresses and hardcoded keys for efficient exfiltration, the gathered data is sent to attacker-controlled endpoints.

The revelation follows the identification of ethereumvulncontracthandler, another malicious npm package that poses as a library for identifying Ethereum smart contract vulnerabilities but contains the ability to release the Quasar RAT malware. Malicious npm packages have also been seen in recent months utilizing Ethereum smart contracts to distribute command-and-control (C2) server addresses, enlisting compromised computers into the MisakaNetwork, a blockchain-powered botnet. The campaign has been linked to a threat actor who speaks Russian and goes by the moniker "_lain."

Because packages frequently rely on several dependencies, forming a complicated 'nesting doll' structure, the threat actor highlights an inherent complexity of the npm ecosystem. This dependency chain creates an opportunity for attackers to add harmful code and complicates thorough security checks. Knowing that it is not feasible for developers to examine each package and dependency in npm ecosystems, _lain acknowledges taking advantage of this complexity and dependency sprawl.

But that's not all. Out-of-band application security testing (OAST) tools like oastify.com and oast.fun have been used by a group of fraudulent libraries discovered in the npm, PyPI, and RubyGems ecosystems to exfiltrate private information to servers under the control of attackers. Software developers are advised to confirm package authenticity, use caution when typing package names, and examine the source code before installation to reduce the supply chain risks that these packages bring.

Impact

• Sensitive Data Theft
• Data Exfiltration

Indicators of Compromise

URL

• https://cryptoshiny.com/api
• https://cryptoshiny.com/api/projects/setData
• https://cryptoshiny.com/api/projects/getAddress
• https://projects.cryptosnowprince.com/api
• http://t0uxistfm4fo6bg9pjfpdqb1ssyjmfa4.oastify.com/

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Regularly monitor and audit npm packages for malicious activities, ensuring that all packages are thoroughly vetted before being published.
• Developers should carefully review the code and dependencies of any package before using it, especially when downloaded from open-source repositories. Avoid using packages from unknown or untrusted authors.
• Use security tools that automatically analyze npm packages for potential malicious code, and deploy sandbox environments to execute and validate code in a controlled manner before it reaches production systems.
• Raise awareness among developers about common evasion techniques like obfuscation and provide guidelines on how to identify them during code reviews.
• Require MFA for publishing and managing npm packages to reduce the risk of unauthorized package uploads.
• Ensure that all developer systems are up to date with security patches to minimize the risk of malware exploitation.
• Developers and users should verify the credibility of repositories by looking beyond star counts and considering other factors like the number of contributors, recent activity, and community feedback before relying on open-source projects.
• Establish peer review processes within development teams to analyze and approve code dependencies before integration into projects, helping to catch potential security issues early.