6 January 2025

Malicious npm campaign targets Ethereum devs with fake Hardhat packages


Malicious npm campaign targets Ethereum devs with fake Hardhat packages

A sophisticated npm supply chain attack has been targeting developers impersonating Hardhat plugins and the Nomic Foundation to steal sensitive data, including private keys, mnemonics, and configuration details.

The ongoing campaign involves malicious npm packages that mimic legitimate plugins. So far, Socket researchers have identified 20 malicious packages published by three authors, with the most downloaded package, ‘@nomicsfoundation/sdk-test’, garnering 1,092 downloads.

According to the researchers, malicious packages misuse functions like hreInit() or hreConfig() to capture and transmit sensitive data. Stolen information, including private keys and configuration details, is transmitted to attacker-controlled endpoints using hardcoded keys and Ethereum addresses. Additionally, the campaign leverages Ethereum smart contracts to dynamically retrieve command-and-control (C2) server addresses.

“This attack highlights just one malicious campaign within the open source ecosystem and the critical need for vigilance in package selection. Developers and organizations must implement stricter auditing and monitoring practices to safeguard their development environments,” the researchers noted.

 

Back to the list

Latest Posts

Massive botnet abuses misconfigured DNS records to deliver malware

Massive botnet abuses misconfigured DNS records to deliver malware

The threat actor took advantage of SPF records with an overly permissive configuration option, which allows any server to send emails on behalf of a domain.
16 January 2025
Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Russia-linked hackers increasingly exploiting legitimate services in Ukraine to carry out cyberattacks

Most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage.
16 January 2025
Codefinger hackers target Amazon S3 buckets with encryption attacks

Codefinger hackers target Amazon S3 buckets with encryption attacks

The attacks rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature.
15 January 2025