Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
Researchers at Socket have uncovered a malicious campaign targeting crypto developers. The attacker, operating under the pseudonym “topnotchdeveloper12”, has published three malicious npm packages—crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber—that mimic legitimate cryptographic libraries. These packages aim to steal sensitive data, including cryptocurrency wallet credentials, through a combination of keylogging, clipboard monitoring, and advanced exfiltration techniques.
The malicious npm packages impersonate widely used cryptographic libraries like keccak and jsonwebtoken, essential tools in blockchain and cryptocurrency development. Socket highlights that these legitimate libraries “have tens of millions of downloads and are essential tools for developers working in cryptography, DeFi, blockchain, and crypto-asset projects”.
The malicious packages embed spyware-infostealer malware within executables such as Microsoft Store.exe and bigNumber.exe. Once executed, these files harvest sensitive user data and exfiltrate it via HTTP POST requests to command-and-control (C2) servers.
Socket researchers identified the malware’s extensive capabilities, including:
- Keylogging: Tracks keystrokes through application hooks and polling mechanisms.
- Clipboard Monitoring: Intercepts copied cryptocurrency addresses and credentials.
- Credential Theft: Targets browser-stored passwords and cookies, particularly data linked to cryptocurrency wallets like MetaMask and Exodus
- Persistence Mechanisms: Ensures automatic execution upon system boot by modifying Windows registry Run keys
The malware uses modular C2 endpoints for exfiltrating stolen data and updating itself. It communicates with C2 servers at 209.151.151[.]172 and indiefire[.]io, alternating between paths like /media/itemmedia and /timetrack/add to handle telemetry, tasking, and file exfiltration. The use of multiple endpoints ensures redundancy, allowing operations to continue even if one server is taken offline.
The campaign’s focus on crypto developers underscores its severity. The malware specifically targets directories and extensions linked to popular wallets, including:
- Exodus Wallet: Harvesting data from paths like \AppData\Roaming\Exodus\exodus.wallet\.
- MetaMask: Accessing sensitive files in directories associated with Ethereum wallets
By embedding links to authentic GitHub repositories, the attacker lent credibility to two of their malicious packages. However, crypto-bignumber linked directly to a GitHub repository under their alias, hosting additional malicious code.
This campaign exemplifies how trust in open-source ecosystems can be exploited. “The open source ecosystem is built on trust, but this trust can be easily exploited,” Socket warned. The continued presence of these malicious packages, which have been downloaded over 1,000 times, highlights the vulnerabilities in platforms like npm and GitHub.
