A sophisticated npm supply chain attack has been targeting developers impersonating Hardhat plugins and the Nomic Foundation to steal sensitive data, including private keys, mnemonics, and configuration details.
The ongoing campaign involves malicious npm packages that mimic legitimate plugins. So far, Socket researchers have identified 20 malicious packages published by three authors, with the most downloaded package, ‘@nomicsfoundation/sdk-test’, garnering 1,092 downloads.
According to the researchers, malicious packages misuse functions like hreInit() or hreConfig() to capture and transmit sensitive data. Stolen information, including private keys and configuration details, is transmitted to attacker-controlled endpoints using hardcoded keys and Ethereum addresses. Additionally, the campaign leverages Ethereum smart contracts to dynamically retrieve command-and-control (C2) server addresses.
“This attack highlights just one malicious campaign within the open source ecosystem and the critical need for vigilance in package selection. Developers and organizations must implement stricter auditing and monitoring practices to safeguard their development environments,” the researchers noted.