Dozen cryptocurrency-related packages on the NPM registry have been hijacked to distribute infostealer malware
Cybersecurity researchers have discovered that nearly a dozen cryptocurrency-related packages on the NPM registry have been hijacked to distribute infostealer malware. Among these, one package was first published nine years ago, showing how long-maintained libraries can be compromised to attack unsuspecting developers.
These hijacked packages, designed for blockchain application development, provide legitimate functionality but now contain obfuscated scripts that steal sensitive information from compromised systems. According to software supply chain management firm Sonatype, the malicious updates were only observed in NPM, while the corresponding GitHub repositories remained unchanged.
Collectively, these compromised packages have been downloaded around 500,000 times over their entire lifespan, making this a significant supply chain attack.
Recent Malicious Activity
Two of the hijacked packages, ‘bnb-javascript-sdk-nobroadcast’ and ‘country-currency-map’, had not received updates for years. However, new versions containing malicious code suddenly appeared on NPM this week. The malicious update for ‘country-currency-map’ was deprecated shortly after being published, with the maintainers recommending the use of a previous version from five years ago.
Sonatype's investigation revealed that these compromised packages run obfuscated scripts during installation, allowing attackers to steal sensitive system environment variables. These variables may include API keys, SSH credentials, access tokens, and other critical data.
Other Compromised Packages
Additional hijacked packages include:
- ‘@bithighlander/bitcoin-cash-js-lib’
- ‘eslint-config-travix’
- ‘@crosswise-finance1/sdk-v2’
- ‘@keepkey/device-protocol’
- ‘@veniceswap/uikit’
- ‘@veniceswap/eslint-config-pancake’
- ‘babel-preset-travix’
- ‘@travix/ui-themes’
- ‘@coinmasters/types’
The likely cause of these hijacks is the compromise of old maintainer accounts, possibly through credential stuffing attacks. Sonatype noted that while NPM mandated two-factor authentication (2FA) for high-impact projects in 2022, some package authors have not yet enabled 2FA, leaving their accounts vulnerable.
The Risk of Software Supply Chain Attacks
This incident highlights the ongoing risks of software supply chain attacks, where trusted development tools are modified to steal sensitive information. Developers using NPM packages for blockchain applications should carefully review package updates, verify maintainers, and enable security features like 2FA to reduce the risk of compromise.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
