The cybersecurity landscape is facing a significant threat with a new wave of supply chain attacks specifically targeting blockchain developers, Web3 teams, and cloud engineers. Researchers have identified a coordinated effort involving multiple malicious npm packages designed to stealthily extract sensitive information from developers as soon as these packages are installed.
Details of the Malicious Campaign
Among the sensitive data at risk are SSH private keys, cloud credentials, wallet phrases, and API tokens. The campaign’s sheer scale is troubling, with one of the implicated packages, moralis-sdk, amassing over 2.7 million downloads before being flagged by researchers.
This widespread reach suggests that numerous developer workstations, CI/CD pipelines, and cloud environments may have been compromised without detection. Analysts from Cyfirma discovered the campaign by identifying suspicious npm packages, ethers-jss and coinbase-wallet-utils, which were crafted to mimic legitimate Ethereum development tools.
Technical Analysis of the Attack
The investigation revealed eleven suspect npm packages connected to the same operation. These packages were grouped into four distinct operational clusters, each using a unique method to target developers. Some exploited npm lifecycle hooks for automatic code execution during installation, while others used obfuscated loaders and Ethereum smart contracts to obscure command-and-control addresses.
Collectively, these packages achieved over 2.72 million downloads, marking this as one of the most impactful npm supply chain attacks in recent times. Despite detection, some packages continued to reach new victims, indicating ongoing active downloads.
Infection Methods and Security Recommendations
The infection strategy was deceptively straightforward. The npm lifecycle scripts, either preinstall or postinstall hooks, triggered malicious code execution the moment a developer initiated an install command, requiring no additional steps from the victim.
The ethers-jss package, for instance, acted as a malicious overlay of the real ethers library. It compromised wallet creation and recovery processes, capturing private keys and mnemonic phrases and transmitting them to an attacker-controlled server via GitHub Codespaces.
Cyfirma advises utilizing the npm install –ignore-scripts flag to thwart automatic script execution during installations. Organizations are also encouraged to implement Software Composition Analysis tools, avoid storing private keys or seed phrases in plaintext, and promptly rotate any exposed credentials.
Furthermore, developers operating in Web3 environments should diligently verify package publisher identities, download histories, and repository ownership before incorporating unfamiliar packages into their projects.
Indicators of compromise, such as SHA1 and SHA256 hashes of the suspect packages, have been identified to aid in detecting potential breaches. These include package archives related to ethers-jss, coinbase-wallet-utils, and others associated with the campaign.
The campaign highlights the necessity for heightened vigilance and robust security measures across software development practices to mitigate such sophisticated threats.
