Malicious npm packages target Ethereum developers’ private keys
Twenty malicious packages impersonating the Hardhat development environment used by Ethereum developers are targeting private keys and other sensitive data.
Collectively, the malicious packages have recorded more than one thousand downloads, researchers say.
Narrow targeting campaign
Hardhat is a widely used Ethereum development environment maintained by the Nomic Foundation. It is used for developing, testing, and deploying smart contracts and decentralized applications (dApps) on the Ethereum blockchain.
It is generally used by blockchain software developers, fintech firms and startups, and educational institutions.
These users often source their project components from the npm (Note Package Manager), a widely used tool in the JavaScript ecosystem that helps developers manage dependencies, libraries, and modules.
On npm, three malicious accounts uploaded 20 info-stealing packages that used typosquatting to impersonate legitimate packages and trick people into installing them.
Socket shared the names of 16 malicious packages, which are:
- nomicsfoundations
- @nomisfoundation/hardhat-configure
- installedpackagepublish
- @nomisfoundation/hardhat-config
- @monicfoundation/hardhat-config
- @nomicsfoundation/sdk-test
- @nomicsfoundation/hardhat-config
- @nomicsfoundation/web3-sdk
- @nomicsfoundation/sdk-test1
- @nomicfoundations/hardhat-config
- crypto-nodes-validator
- solana-validator
- node-validators
- hardhat-deploy-others
- hardhat-gas-optimizer
- solidity-comments-extractors
Once installed, code in those packages attempts to collect Hardhat private keys, configuration files, and mnemonics, encrypt them with a hardcoded AES key, and then exfiltrate them to the attackers.
“These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files,” explains Socket.
“The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.”
Security risks and mitigations
Private keys and mnemonics are used to access Ethereum wallets, so the first potential ramification of this attack is the loss of funds through initiating unauthorized transactions.
In addition, since many of the compromised systems belong to developers, the attackers could gain unauthorized access to production systems and compromise smart contracts or deploy malicious clones of existing dApps to lay the ground for more impactful, broader-scale attacks.
Hardhat configuration files can include API keys for third-party services as well as information about the development network and endpoints, and they can be leveraged to prepare phishing attacks.
Software developers should exercise caution, verify package authenticity, be wary of typosquatting, and inspect the source code before installation.
As a general recommendation, private keys should not be hardcoded but stored in secure vaults.
To minimize exposure to such risks, use lock files, define specific versions for your dependencies, and use as few as practically possible.