Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation's Hardhat tool to steal sensitive data from developer systems. "By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details," the Socket research team said in an analysis.
Hardhat is a development environment for Ethereum software, incorporating various components for editing, compiling, debugging, and deploying smart contracts and decentralized apps (dApps).
The list of identified counterfeit packages is as follows -
• nomicsfoundations
• @nomisfoundation/hardhat-configure
• installedpackagepublish
• @nomisfoundation/hardhat-config
• @monicfoundation/hardhat-config
• @nomicsfoundation/sdk-test
• @nomicsfoundation/hardhat-config
• @nomicsfoundation/web3-sdk
• @nomicsfoundation/sdk-test1
• @nomicfoundations/hardhat-config
• crypto-nodes-validator
• solana-validator
• node-validators
• hardhat-deploy-others
• hardhat-gas-optimizer
• solidity-comments-extractors
Of these packages, @nomicsfoundation/sdk-test has attracted 1,092 downloads. It was published over a year ago in October 2023. Once installed, they are designed to harvest mnemonic phrases and private keys from the Hardhat environment, following which they are exfiltrated to an attacker-controlled server. "The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files," the company said.
"The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration." The disclosure comes days after discovering another malicious npm package named ethereumvulncontracthandler that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but instead harbored functionality to drop the Quasar RAT malware.
In recent months, malicious npm packages have been observed using Ethereum smart contracts for command-and-control (C2) server address distribution, co-opting infected machines into a blockchain-powered botnet called MisakaNetwork. The campaign has been tracked back to a Russian-speaking threat actor named "_lain."
"The threat actor points out an inherent npm ecosystem complexity, where packages often rely on numerous dependencies, creating a complex 'nesting doll' structure," Socket said. "This dependency chain makes comprehensive security reviews challenging and allows attackers to introduce malicious code. _lain admits to exploiting this complexity and dependency sprawl in npm ecosystems, knowing that it is impractical for developers to scrutinize every package and dependency."
In addition, a set of phony libraries uncovered across the npm, PyPI, and RubyGems ecosystems have been found leveraging out-of-band application security testing (OAST) tools such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers.
The names of the packages are as follows -
• adobe-dcapi-web (npm), which avoids compromising Windows, Linux, and macOS endpoints located in Russia and comes with capabilities to collect system information
• monoliht (PyPI), which collects system metadata
• chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems), which contain embedded scripts designed to transfer sensitive information via DNS queries to an oastify.com endpoint
"Threat actors are misusing the same tools and techniques created for ethical security assessments," Socket researcher Kirill Boychenko said. "Originally intended to uncover vulnerabilities in web applications, OAST methods are increasingly exploited to steal data, establish command and control (C2) channels, and execute multi-stage attacks."
To mitigate the supply chain risks posed by such packages, it's recommended that software developers verify package authenticity, exercise caution when typing package names, and inspect the source code before installation.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments