Unknown Actor Hijacks NPM Packages to Steal Crypto Funds

MITRE Techniques

• [T1059 ] Command and Scripting Interpreter – Malicious JavaScript was injected into npm packages and executed in the browser to intercept APIs and modify requests/responses (“injects itself into the browser…Hooks core functions like fetch, XMLHttpRequest, and wallet APIs (window.ethereum, Solana, etc.).”).
• [T1185 ] Man-in-the-Middle – The malware intercepts and modifies web traffic and API responses client-side, effectively performing MITM on fetch and XHR calls (“injects itself into functions like fetch, XMLHttpRequest…then silently rewrites values in requests and responses”).
• [T1499 ] Endpoint Denial of Service (functional impersonation) – The code tampers with transaction parameters and replaces destination addresses/approval targets, causing funds/approvals to be redirected to attacker accounts (“silently intercepts crypto and web3 activity…rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts”).
• [T1592 ] Gather Victim Identity Information – The malware scans content for wallet addresses and other identifiers across multiple blockchains to locate targets for replacement (“Scans network responses and transaction payloads for anything that looks like a wallet address or transfer. Recognizes multiple formats across Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.”).
• [T1566 ] Phishing – Attackers compromised maintainers via phishing emails originating from a spoofed/support domain (npmjs.help) used to gain repository access (“phishing, using this email coming from support [at] npmjs [dot] help”).
• [T1204 ] User Execution – The attack depends on users running applications in browsers that load the compromised packages, causing execution of the injected JavaScript in victim contexts (“These were … packages … updated to contain a piece of code that would be executed on the client of a website”).