Summary: Cybersecurity researchers have identified malicious packages in the npm registry that are designed to steal Ethereum private keys and establish unauthorized SSH access to victims’ machines. These packages impersonate a legitimate library and require active use by developers to execute the embedded malicious code.
Threat Actor: Unknown | unknown
Victim: Developers using npm packages | developers using npm packages
Key Point :
- Malicious npm packages aim to harvest Ethereum private keys and gain SSH access by modifying the authorized_keys file.
- Packages were published by accounts believed to be testing, with minimal changes across them.
- This attack requires developers to actively use the malicious package in their code for the exploit to trigger.
- Previous similar attacks have been documented, highlighting ongoing risks in the software supply chain.
- Malicious packages were quickly removed by their authors after a short period of availability.
Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol.
The packages attempt to “gain SSH access to the victim’s machine by writing the attacker’s SSH public key in the root user’s authorized_keys file,” software supply chain security company Phylum said in an analysis published last week.
The list of packages, which aim to impersonate the legitimate ethers package, identified as part of the campaign are listed as follows –
Some of these packages, most of which have been published by accounts named “crstianokavic” and “timyorks,” are believed to have been released for testing purposes, as most of them carry minimal changes across them. The latest and the most complete package in the list is ethers-mew.
This is not the first time rogue packages with similar functionality have been discovered in the npm registry. In August 2023, Phylum detailed a package named ethereum-cryptographyy, a typosquat of a popular cryptocurrency library that exfiltrated the users’ private keys to a server in China by introducing a malicious dependency.
The latest attack campaign embraces a slightly different approach in that the malicious code is embedded directly into the packages, allowing threat actors to siphon the Ethereum private keys to the domain “ether-sign[.]com” under their control.
What makes this attack a lot more sneaky is the fact that it requires the developer to actually use the package in their code – such as creating a new Wallet instance using the imported package – unlike typically observed cases where simply installing the package is enough to trigger the execution of the malware.
In addition, the ethers-mew package comes with capabilities to modify the “/root/.ssh/authorized_keys” file to add an attacker-owned SSH key and grant them persistent remote access to the compromised host.
“All of these packages, along with the authors’ accounts, were only up for a very short period of time, apparently removed and deleted by the authors themselves,” Phylum said.
Source: https://thehackernews.com/2024/10/malicious-npm-packages-target.html