In a revelation by the Socket Research Team, Ethereum developers have been targeted in a sophisticated supply chain attack leveraging malicious npm packages. The campaign exploits trust in open-source ecosystems, posing significant risks to the Ethereum development community.
Hardhat, maintained by the Nomic Foundation, is a critical tool for Ethereum developers, streamlining the creation, testing, and deployment of smart contracts. However, this trusted platform has become the focal point of a malicious campaign. The attackers infiltrated the npm ecosystem, publishing at least 20 malicious packages under names resembling legitimate Hardhat plugins, such as @nomisfoundation/hardhat-configure and hardhat-deploy-others. These packages were published by three primary authors, with one—@nomicsfoundation/sdk-test—amassing over 1,000 downloads.
According to the report, “Attackers have employed impersonation as their primary strategy, mimicking the names of legitimate packages and organizations to embed themselves within the supply chain.” These malicious packages claimed to enhance workflows but secretly exfiltrated sensitive data like mnemonics and private keys from compromised development environments.
The campaign employs a multi-layered attack strategy:
- Sensitive Data Collection: The attackers extract critical information, including mnemonics, private keys, and configuration files, from the Hardhat runtime environment.
- Data Encryption and Exfiltration: Collected data is encrypted using predefined AES keys and transmitted to attacker-controlled endpoints.
- C2 Infrastructure via Blockchain: Attackers leverage Ethereum smart contracts to dynamically retrieve command-and-control (C2) server addresses. The decentralized and immutable nature of the blockchain makes disrupting this infrastructure particularly challenging.
For instance, the smart contract at address 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b has been utilized to store and provide C2 addresses. Associated Ethereum wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 further underscores the integration of blockchain into this campaign.
Related Posts:
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
