Cybersecurity researchers have discovered several cryptocurrency packages on the NPM registry. This is hijacked with Sifon-sensitive information such as environment variables from compromised systems.
“Some of these packages have lived at NPMJS.com for over nine years, providing legitimate functionality for blockchain developers,” says Sonatype Researcher Axe Sharma. “But (…) the latest versions of each of these packages had obfuscated scripts.”
The affected packages and their hijacked versions are listed below –
- Country Currency Map (2.1.8)
- bnb-javascript-sdk-nobroadcast (2.16.16)
- @bithighlander/bitcoin-cash-js-lib (5.2.2)
- eslint-config-travix (6.3.1)
- @crosswise-finance1/sdk-v2 (0.1.21)
- @keepkey/device-protocol (7.13.3)
- @veniceswap/uikit (0.65.34)
- @veniceswap/eslint-config-pankake (1.6.2)
- BABEL-PRESET-TRAVIX (1.2.1)
- @travix/ui-themes (1.1.5)
- @coinmasters/Type (4.8.16)
Analysis of these packages by software supply chain security companies revealed that they were poisoned with a massive obfuscated code in two different scripts: “Packages/Scripts/launch.js” and “Packages/Scripts/Diagnostics Report.js”.
JavaScript code that runs immediately after the package is installed is designed to harvest sensitive data such as API keys, access tokens, SSH keys, and eliminates them on a remote server (“EOI2ECTD5A5TN1H.M.PIPEDREAM(.)NET”).
Interestingly, none of the GitHub repositories associated with the library have been modified to include the same changes, so I raised questions about how the threat actors behind the campaign push malicious code. Currently, we don’t know what the campaign’s ultimate goal is.
“We were breached by either a stuffing of credentials (threat actors leaking usernames and passwords to compromise accounts on other websites) or an expiring domain acquisition, assuming the hijacking was an old NPM maintainer account,” Sharma said.
“Given the simultaneous timing of attacks on multiple projects from clear maintainers, the initial scenario (acquisition of maintainer accounts) appears to be more likely, in contrast to a well-structured phishing attack.”
The findings highlight the need to protect your account with two-factor authentication (2FA) to prevent acquisition attacks. It also highlights the challenges associated with implementing such security safeguards when open source projects are not reaching the end of life or actively maintained.
“This case highlights the urgent need for improved supply chain security measures and greater vigilance in monitoring third-party software registry developers,” Sharma says. “Organisations need to prioritize security at every stage of the development process to mitigate the risks associated with third-party dependencies.”
