A recent malicious campaign has been identified targeting Ethereum developers, aiming to steal private keys using fake Hardhat npm packages. It is crucial for developers to enhance monitoring and security measures to safeguard their development environments against such threats.
New Malicious Campaign Uses Fake Hardhat npm Packages To Steal Private Keys
Socket.dev Research Team has reported a new malicious campaign actively going after Ethereum developers. The attackers are employing a supply chain attack focused on Nomic Foundation and Hardhat platforms, using fake Hardhat npm packages.
The malicious actors are creating packages that mimic legitimate Hardhat plugins to deceive users. These fake packages claim to provide the same functionalities as the authentic plugins, even adopting similar deployment processes like gas optimization and smart contract testing to appear legitimate.
Since these deceptive packages are hosted on npm, they appear trustworthy to developers, making it easier for them to steal data such as private keys and mnemonics from the Hardhat environment. The stolen data is then encrypted with an AES key and sent to attacker-controlled endpoints.
In some cases, the attackers may use these packages to deploy malicious contracts, potentially disrupting the Ethereum mainnet.
During their investigation, the Socket.dev team discovered 20 malicious packages from three authors, including the package @nomicsfoundation/sdk-test that received over 1000 downloads, indicating the significant impact of this campaign.
To mitigate risks from such threats, Ethereum developers are advised to implement rigorous security monitoring and auditing practices in their development workflows. It is crucial for developers to exercise caution when selecting packages to avoid falling victim to malicious schemes.
