A malicious npm campaign that poses as the Hardhat plugins and the Nomic Foundation is observed to target Ethereum developers to acquire private keys and other sensitive data.
Hardhat, maintained by the Nomic Foundation, is an essential tool for Ethereum developers. As a flexible Ethereum development environment, it simplifies the development, testing, and implementation of dApps and smart contracts.
The supply chain attack is presently targeting the Nomic Foundation and Hardhat platforms, which are both critical components of the Ethereum development environment.
“By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details,” Socket Research Team shared with Cyber security News.
Targeting Ethereum Developers With Fake Hardhat Packages
The malicious npm packages used in this ongoing attack pose as genuine plugins and target the Nomic Foundation, Hardhat, and related plugins.
As a result of the attack, 20 malicious packages written by three main authors have been detected; the most popular package, @nomicsfoundation/sdk-test, has had 1,092 downloads.
Packages such as @nomisfoundation/hardhat-configure and @monicfoundation/hardhat-config are two instances; they appear to be legitimate Hardhat plugins but include malicious code.
Researchers observed malicious packages mimic the names of legitimate Hardhat plugins to give the impression that they are authentic. Malicious and genuine software both claim to offer useful Hardhat extensions.
Like legitimate plugins, malicious packages target Ethereum smart contract testing, gas optimization, and deployment procedures. Malicious packages hosted on npm take advantage of developers’ trust in this ecosystem.
While legitimate plugins use the Hardhat Runtime Environment (HRE) for legitimate purposes like contract deployment or testing, malicious packages exploit functions like hreInit() or hreConfig() to exfiltrate sensitive data.
From the Hardhat environment, attackers retrieve crucial data like private keys and mnemonics.
A predefined AES key is used to encrypt the private information. Subsequently, attacker-controlled endpoints receive encrypted data.
Through the use of functions like hreInit() and hreConfig(), these packages take advantage of the Hardhat runtime environment to obtain private keys, mnemonics, and configuration files, among other sensitive information.
Using Ethereum addresses and hardcoded keys for efficient exfiltration, the gathered data is sent to attacker-controlled endpoints.
“This attack compromises sensitive data, including private keys and mnemonics, undermining trust in open source ecosystems. Additionally, it risks deploying malicious contracts to the Ethereum mainnet, further escalating the potential damage”, researchers said.
Attackers have used Ethereum smart contracts to retrieve C2 server addresses dynamically. This approach takes advantage of the blockchain’s decentralized and unchangeable characteristics, making it difficult to disrupt the C2 infrastructure.
In relation to earlier campaigns, specific Ethereum wallet addresses have been identified. Notably, the wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 has been linked to the campaign leveraging ethereum smart contracts and is used as a parameter to access C2 server information.
It is crucial to choose packages carefully. Stricter auditing and monitoring procedures must be put in place by developers and organizations to protect their development environments.
To prevent unintentionally installing one of these malicious packages, install the free Socket for GitHub app.
Socket’s AI-powered threat detection detects these types of attacks, as well as more than 70 additional indicators of supply chain risk before they reach your development environment.
Indicators Of Compromise (IOCs)
Malicious URLs
hxxps://projects[.]metabest[.]tech/api
hxxps://cryptoshiny[.]com/api
hxxps://cryptoshiny[.]com/api/projects/setData
hxxps://cryptoshiny[.]com/api/projects/getAddress
hxxps://projects[.]cryptosnowprince[.]com/api
hxxp://t0uxistfm4fo6bg9pjfpdqb1ssyjmfa4[.]oastify[.]com
hxxps://pastebin[.]com/api/api_post[.]php
Hardcoded Keys
AES Key: 8GAq/DfzWy74ESgzmSYPXMSghwPjOY3oa7HZ6u+FSCs=:PMnracLLHhsVjTj+dwHOQQ==
Pastebin Developer Key: zCviLVtg0oHC2aT_xQ_7VU96pzxM35ju
Pastebin User Key: d8186f40984375851b912c75b5bd24e7
Ethereum Addresses
0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c
0xae13d989daC2f0dEbFf460aC112a837C89BAa7cd
0xE0B7927c4aF23765Cb51314A0E0521A9645F0E2A
0x0d500B1d8E8eF31E21C99d1Db9A6444d3ADf1270
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free