![\"npm](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRHyI7MCx5PPlx-4RJmmZ_JjNm0HjuU6dH_Qz9Y57-YDLO1T2dhmhyntIMJD9xLOgqaTyCk9VuHf7LTr7zubqnyMTCX-Ni2-GCsa_umDhc2BM8k2ER-jBiEp9xFAxYG_WGzdD8TAtA9MIgCcgTxsIG7Xg8weHTbNmTNOoFxvKT7aj2KITBArHEwpyTI1pW/s728-rw-e365/npm-malware.jpg\" "\\"npm")
Cybersecurity experts have identified multiple cryptocurrency packages on the npm registry that have been compromised to extract sensitive information like environment variables from affected systems.
\”Some of these packages have been available on npmjs.com for over 9 years, offering legitimate features to blockchain developers,\” stated Sonatype researcher Ax Sharma explained. \”However, the latest versions of these packages contained hidden scripts.\”
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsFQaSLfkFdKcodtNnSya8V2yj1C_ZVcqQImhnHDikdLhrgZ4hoAIdzNPEjMn6tIl2dSBa9PZVJm5Q6CW4Iprd32O0xaNt3UTVX1U9kEK629GDLqpr7Dd6lynygeNXdkuKNi_TlVZ1vRZI_fXFdvFwBm25WNf4tQHZfgpXHiaw1nnd6E5jLX8vrn4fB3mN/s728-e100/cis-d.png\")
The impacted packages and their compromised versions are listed below –
- country-currency-map (2.1.8)
- bnb-javascript-sdk-nobroadcast (2.16.16)
- @bithighlander/bitcoin-cash-js-lib (5.2.2)
- eslint-config-travix (6.3.1)
- @crosswise-finance1/sdk-v2 (0.1.21)
- @keepkey/device-protocol (7.13.3)
- @veniceswap/uikit (0.65.34)
- @veniceswap/eslint-config-pancake (1.6.2)
- babel-preset-travix (1.2.1)
- @travix/ui-themes (1.1.5)
- @coinmasters/types (4.8.16)
An examination of these packages by the software supply chain security company has revealed that they have been injected with highly obfuscated code in two specific scripts: \”package/scripts/launch.js\” and \”package/scripts/diagnostic-report.js.\”
![\"npm](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivfMyxcMuo2N8-vjSDOkBj9xbdoQgtiDgPrtghktgiaAKilM8nKw4PVbNue_z4LrzoYcPlsbiruDOOudLIeeEcgdMsCR9aKwu_d9JqmvKGrlnsbdVCGHFbK3HZbuGF4dAf3hAvGUyEHFPfzuOqSlRlByxsa-faPc3KBksCbUwD_E4CUtvWIczor5hIyh4w/s728-rw-e365/npm.jpg\" "\\"npm")
The JavaScript code embedded in these packages, which executes immediately after installation, is crafted to collect confidential data like API keys, access tokens, SSH keys, and transmit them to a remote server (\”eoi2ectd5a5tn1h.m.pipedream[.]net\”).
Interestingly, none of the GitHub repositories linked to the libraries have been altered to include the same malicious changes, prompting questions about how the threat actors behind the breach were able to push harmful code. The ultimate motive of the attack remains unknown.
\”We suspect the hijack was enabled by compromised old npm maintainer accounts through either credential stuffing (a method where attackers reuse leaked usernames and passwords from previous breaches to compromise accounts on other platforms) or an expired domain takeover,\” Sharma suggested.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPWsOsc5-XgG7OgLaedicSgtFyWz34mXvDdyCyBN0HSv2LVBMQPs-Ma8uaYGqN19Mvm7puED6vlOFihpguPFfq-e_PQ6pfqHPeMKSX6luNSqXs_m3IHmaA6waPe8qHtxB35qw_CdmXzEDQ30crRU_-UvN9w8cSL1W51CocP1fJXyJIrdUcBNvSaMyhb_cV/s728-e100/cloud-secure-d.jpg\")
\”Considering the simultaneous nature of the attacks on various projects managed by different maintainers, the first scenario (takeover of maintainer accounts) appears more plausible than coordinated phishing schemes.\”
These findings emphasize the importance of implementing two-factor authentication (2FA) to secure accounts against takeover attempts. They also underscore the difficulties in enforcing such security measures when open-source projects reach their end-of-life or are no longer actively maintained.
\”This incident highlights the urgent need for enhanced supply chain security practices and increased monitoring of third-party software registries by developers,\” Sharma emphasized. \”Businesses should prioritize security throughout the development process to mitigate risks associated with third-party dependencies.\”
