Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems.
“Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers,” Sonatype researcher Ax Sharma said. “However, […] the latest versions of each of these packages were laden with obfuscated scripts.”
The affected packages and their hijacked versions are listed below –
- country-currency-map (2.1.8)
- bnb-javascript-sdk-nobroadcast (2.16.16)
- @bithighlander/bitcoin-cash-js-lib (5.2.2)
- eslint-config-travix (6.3.1)
- @crosswise-finance1/sdk-v2 (0.1.21)
- @keepkey/device-protocol (7.13.3)
- @veniceswap/uikit (0.65.34)
- @veniceswap/eslint-config-pancake (1.6.2)
- babel-preset-travix (1.2.1)
- @travix/ui-themes (1.1.5)
- @coinmasters/types (4.8.16)
Analysis of these packages by the software supply chain security firm has revealed that they have been poisoned with heavily obfuscated code in two different scripts: “package/scripts/launch.js” and “package/scripts/diagnostic-report.js.”
The JavaScript code, which run immediately after the packages are installed, are designed to harvest sensitive data such as API keys, access tokens, SSH keys, and exfiltrate them to a remote server (“eoi2ectd5a5tn1h.m.pipedream[.]net”).
Interestingly, none of the GitHub repositories associated with the libraries have been modified to include the same changes, raising questions as to how the threat actors behind the campaign managed to push malicious code. It’s currently not known what the end goal of the campaign is.
“We hypothesize the cause of the hijack to be old npm maintainer accounts getting compromised either via credential stuffing (which is where threat actors retry usernames and passwords leaked in previous breaches to compromise accounts on other websites), or an expired domain takeover,” Sharma said.
“Given the concurrent timing of the attacks on multiple projects from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be more likely as opposed to well-orchestrated phishing attacks.”
The findings underscore the need for securing accounts with two-factor authentication (2FA) to prevent takeover attacks. They also highlight the challenges associated with enforcing such security safeguards when open-source projects reach end-of-life or are no longer actively maintained.
“The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers,” Sharma said. “Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.”
