Listen to this Post
In a recent cybersecurity discovery, researchers revealed that several cryptocurrency-related packages hosted on the npm registry have been hijacked to steal sensitive information from compromised systems. These packages, which have been available for years and are widely used by blockchain developers, were found to contain hidden, obfuscated scripts designed to siphon valuable data like API keys, access tokens, and SSH keys from affected systems. This article explores the malicious campaign, its potential risks, and the need for improved supply chain security in open-source development.
Overview of the Hijacked Packages
Cybersecurity researcher Ax Sharma, affiliated with Sonatype, reported that certain cryptocurrency-related packages on the npm registry had been compromised. These packages, some of which had been live for over nine years, originally provided legitimate functionality for blockchain developers. However, the latest versions of these packages were found to contain obfuscated JavaScript code. Once installed, the malicious code runs automatically and is designed to harvest sensitive data from affected systems.
The compromised packages include:
– country-currency-map (2.1.8)
– bnb-javascript-sdk-nobroadcast (2.16.16)
– @bithighlander/bitcoin-cash-js-lib (5.2.2)
– eslint-config-travix (6.3.1)
– @crosswise-finance1/sdk-v2 (0.1.21)
– @keepkey/device-protocol (7.13.3)
– @veniceswap/uikit (0.65.34)
– @veniceswap/eslint-config-pancake (1.6.2)
– babel-preset-travix (1.2.1)
– @travix/ui-themes (1.1.5)
– @coinmasters/types (4.8.16)
Malicious Scripts and Their Impact
The malicious code was embedded in two specific files: package/scripts/launch.js and package/scripts/diagnostic-report.js. These scripts are activated immediately after the compromised packages are installed on a system. Their primary purpose is to collect and exfiltrate critical data, such as API keys, access tokens, SSH keys, and more, to a remote server. The exfiltration server’s address was identified as "eoi2ectd5a5tn1h.m.pipedream[.]net", but the full scope of the attackers’ goals remains unclear.
Interestingly, despite the packages being hijacked, the GitHub repositories associated with the libraries did not show any modifications. This raises the question of how the malicious code was pushed into the packages without altering the corresponding GitHub repositories. At this stage, it remains unknown whether the hijacks were part of a coordinated campaign or individual attacks.
Potential Cause of the Hijacks
Sonatype researchers believe the compromise could be a result of npm maintainer accounts being compromised. Two primary possibilities have been hypothesized: credential stuffing and expired domain takeovers. In the case of credential stuffing, threat actors exploit leaked username-password pairs from past breaches to access accounts on other platforms. The second possibility is an expired domain takeover, where a domain that was previously linked to a legitimate package could be re-registered and hijacked by attackers.
Given the pattern of simultaneous attacks across multiple packages maintained by different developers, the former scenario—npm maintainer accounts being hijacked—seems more likely than a large-scale phishing attack.
The Need for Enhanced Security Measures
The attack highlights a critical vulnerability in the open-source ecosystem and the importance of securing software supply chains. The researchers emphasized the need for stricter security measures, including two-factor authentication (2FA) for npm maintainers. Without such safeguards, open-source projects, especially older and less actively maintained ones, remain susceptible to attack. This incident serves as a stark reminder that organizations need to prioritize security throughout the software development lifecycle to mitigate risks posed by third-party dependencies.
What Undercode Says:
The npm registry incident underscores an increasingly complex threat landscape in the realm of software development and supply chain security. The use of legitimate packages as a vector for cyberattacks is not new, but it does raise several significant concerns for developers, security professionals, and organizations alike.
The Importance of Securing Developer Accounts
One of the critical takeaways from this incident is the importance of maintaining strong security practices for developers. Npm accounts, being integral to the open-source ecosystem, are high-value targets for attackers. The use of weak or reused credentials allows attackers to easily gain access to multiple accounts, leading to widespread damage.
Enforcing two-factor authentication (2FA) for npm accounts is essential to preventing unauthorized access. In addition to 2FA, organizations and developers must be vigilant about monitoring for suspicious activity within their software supply chain. Automated tools that can flag suspicious changes to libraries or packages could help prevent malicious code from being pushed unnoticed.
Challenges with End-of-Life Projects
The rise in these types of attacks also points to a significant issue for developers working with older, end-of-life software packages. Many of these packages are no longer actively maintained or updated, making them more vulnerable to hijacks and exploits. Without ongoing security updates, these packages present an easy target for attackers who take advantage of abandoned projects.
This problem is further compounded by the fact that many organizations rely on these outdated packages, often unaware of the risks they present. A more proactive approach to the lifecycle of software dependencies is needed, ensuring that projects—especially those that are integral to larger systems—are regularly checked and updated.
Open-Source Ecosystem and Its Security Challenges
The incident serves as a reminder of the inherent risks of the open-source ecosystem, where third-party dependencies form the backbone of many development projects. While these dependencies foster rapid innovation and collaboration, they also introduce significant security risks. Attackers can target a single point of failure in the supply chain and cause cascading vulnerabilities across multiple projects.
Developers should consider using trusted sources and package managers with enhanced security features. Additionally, security audits should be regularly performed on all external libraries integrated into projects, especially those that handle sensitive information, such as API keys and tokens.
Moving Forward: A Call to Action for Improved Security
The continued rise of supply chain attacks in the open-source ecosystem demands a comprehensive approach to securing third-party dependencies. Both developers and organizations must take proactive steps to safeguard their projects from potential vulnerabilities introduced through compromised packages. This involves not only securing accounts with 2FA but also regularly reviewing and updating dependencies, implementing code reviews, and investing in security tools that can detect suspicious activities.
Fact Checker Results:
- True: Several npm packages have been hijacked and contain malicious code designed to harvest sensitive data.
- True: The malicious scripts exfiltrate sensitive information to a remote server, posing a risk to users who install the compromised packages.
- Likely: The hijacks are most likely caused by compromised npm maintainer accounts rather than phishing attacks.
References:
Reported By: https://thehackernews.com/2025/03/nine-year-old-npm-packages-hijacked-to.html
Extra Source Hub:
https://www.reddit.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
