https://blog.phylum.io/trojanized-ethers-forks-on-npm-attempting-to-steal-ethereum-private-keys
Security researchers at Phylum have uncovered a series of malicious packages targeting Ethereum developers on the npm registry, the world’s most popular software package manager for JavaScript.
Fake Ethereum Packages Steal Keys and Grant Remote Access:
- The fraudulent packages masquerade as legitimate tools related to Ethereum, such as “ethers-web3” or “ethers-aaa.”
- These packages, upon use, attempt to steal a developer’s Ethereum private keys, granting attackers access to their cryptocurrency holdings.
- Additionally, the most sophisticated package, “ethers-mew,” adds a malicious script that modifies the system’s SSH configuration, granting the attacker permanent remote access to the compromised machine.
The attack leverages a strategy different from previous typosquatting methods observed in August 2023. Here, the malicious code is embedded directly within the packages, requiring developers to actively use the package in their code for the malware to trigger. All the identified malicious packages and their associated accounts have been removed from the npm registry.
Recommendations for Developers:
- Developers are advised to exercise caution when installing packages, especially those with names similar to established tools.
- Thoroughly review the package’s code before integrating it into projects.
- Implement strong authentication practices and avoid storing sensitive information like private keys directly on development machines.
This incident highlights the evolving tactics of cybercriminals targeting the software supply chain. Developers need to remain vigilant and implement robust security measures to protect their systems and digital assets.