Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation’s Hardhat tool in order to steal sensitive data from developer systems.
“By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details,” the Socket research team said in an analysis.
Hardhat is a development environment for Ethereum software, incorporating various components for editing, compiling, debugging and deploying smart contracts and decentralized apps (dApps).
The list of identified counterfeit packages is as follows –
- nomicsfoundations
- @nomisfoundation/hardhat-configure
- installedpackagepublish
- @nomisfoundation/hardhat-config
- @monicfoundation/hardhat-config
- @nomicsfoundation/sdk-test
- @nomicsfoundation/hardhat-config
- @nomicsfoundation/web3-sdk
- @nomicsfoundation/sdk-test1
- @nomicfoundations/hardhat-config
- crypto-nodes-validator
- solana-validator
- node-validators
- hardhat-deploy-others
- hardhat-gas-optimizer
- solidity-comments-extractors
Of these packages, @nomicsfoundation/sdk-test has attracted 1,092 downloads. It was published over a year ago in October 2023. Once installed, they are designed to harvest mnemonic phrases and private keys from the Hardhat environment, following which they are exfiltrated to an attacker-controlled server.
“The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files,” the company said.
“The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.”
The disclosure comes days after the discovery of another malicious npm package named ethereumvulncontracthandler that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but instead harbored functionality to drop the Quasar RAT malware.
In recent months, malicious npm packages have also been observed using Ethereum smart contracts for command-and-control (C2) server address distribution, co-opting infected machines into a blockchain-powered botnet called MisakaNetwork. The campaign has been tracked back to a Russian-speaking threat actor named “_lain.”
“The threat actor points out an inherent npm ecosystem complexity, where packages often rely on numerous dependencies, creating a complex ‘nesting doll’ structure,” Socket said.
“This dependency chain makes comprehensive security reviews challenging and opens opportunities for attackers to introduce malicious code. _lain admits to exploiting this complexity and dependency sprawl in npm ecosystems, knowing that it is impractical for developers to scrutinize every single package and dependency.”
That’s not all. A set of phony libraries uncovered across the npm, PyPI, and RubyGems ecosystems have been found leveraging out-of-band application security testing (OAST) tools such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers.
The names of the packages are as follows –
- adobe-dcapi-web (npm), which avoids compromising Windows, Linux, and macOS endpoints located in Russia and comes with capabilities to collect system information
- monoliht (PyPI), which collects system metadata
- chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems), which contain embedded scripts designed to transfer sensitive information via DNS queries to an oastify.com endpoint
“The same tools and techniques created for ethical security assessments are being misused by threat actors,” Socket researcher Kirill Boychenko said. “Originally intended to uncover vulnerabilities in web applications, OAST methods are increasingly exploited to steal data, establish command and control (C2) channels, and execute multi-stage attacks.”
To mitigate the supply chain risks posed by such packages, it’s recommended that software developers verify package authenticity, exercise caution when typing package names, and inspect the source code before installation.
