Malicious npm packages target Ethereum developers' private keys

Twenty malicious packages impersonating the Hardhat development environment used by Ethereum developers are targeting private keys and other sensitive data.

Collectively, the malicious packages have recorded more than one thousand downloads, researchers say.

Narrow targeting campaign

Hardhat is a widely used Ethereum development environment maintained by the Nomic Foundation. It is used for developing, testing, and deploying smart contracts and decentralized applications (dApps) on the Ethereum blockchain.

It is generally used by blockchain software developers, fintech firms and startups, and educational institutions.

These users often source their project components from the npm (Note Package Manager), a widely used tool in the JavaScript ecosystem that helps developers manage dependencies, libraries, and modules.

On npm, three malicious accounts uploaded 20 info-stealing packages that used typosquatting to impersonate legitimate packages and trick people into installing them.

Socket shared the names of 16 malicious packages, which are:

  1. nomicsfoundations
  2. @nomisfoundation/hardhat-configure
  3. installedpackagepublish
  4. @nomisfoundation/hardhat-config
  5. @monicfoundation/hardhat-config
  6. @nomicsfoundation/sdk-test
  7. @nomicsfoundation/hardhat-config
  8. @nomicsfoundation/web3-sdk
  9. @nomicsfoundation/sdk-test1
  10. @nomicfoundations/hardhat-config
  11. crypto-nodes-validator
  12. solana-validator
  13. node-validators
  14. hardhat-deploy-others
  15. hardhat-gas-optimizer
  16. solidity-comments-extractors

Once installed, code in those packages attempts to collect Hardhat private keys, configuration files, and mnemonics, encrypt them with a hardcoded AES key, and then exfiltrate them to the attackers.

“These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files,” explains Socket.

“The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.”

Security risks and mitigations

Private keys and mnemonics are used to access Ethereum wallets, so the first potential ramification of this attack is the loss of funds through initiating unauthorized transactions.

In addition, since many of the compromised systems belong to developers, the attackers could gain unauthorized access to production systems and compromise smart contracts or deploy malicious clones of existing dApps to lay the ground for more impactful, broader-scale attacks.

Hardhat configuration files can include API keys for third-party services as well as information about the development network and endpoints, and they can be leveraged to prepare phishing attacks.

Software developers should exercise caution, verify package authenticity, be wary of typosquatting, and inspect the source code before installation.

As a general recommendation, private keys should not be hardcoded but stored in secure vaults.

To minimize exposure to such risks, use lock files, define specific versions for your dependencies, and use as few as practically possible.

Related Articles:

Malicious Microsoft VSCode extensions target devs, crypto community

Malicious Rspack, Vant packages published using stolen NPM tokens

390,000 WordPress accounts stolen from hackers in supply chain attack