Threat Research

New NPM Supply Chain Campaign Identified : A Multi-Stage Cryptocurrency Malware with More Than 2.7 million Downloads

Cyfirma
New NPM Supply Chain Campaign Identified : A Multi-Stage Cryptocurrency Malware with More Than 2.7 million Downloads
Cyfirma Research uncovered an npm supply chain campaign using 11 malicious packages to target blockchain developers, Web3 projects, and cryptocurrency infrastructure, with moralis-sdk alone reaching more than 2.7 million downloads. The campaign used typosquatting, postinstall/preinstall abuse, credential harvesting, wallet theft, blockchain-based C2 and exfiltration, and multi-stage payload delivery. #moralis-sdk #ethers-jss #coinbase-wallet-utils #Ganach #Solidty #Stelar-sdk #ethcompat

Keypoints

  • Researchers identified 11 highly suspicious npm packages targeting blockchain developers, Web3 projects, and cryptocurrency wallet operators.
  • The trojanized moralis-sdk package accounted for more than 2.7 million downloads, making it the most widely distributed malicious package in the campaign.
  • The threat actors used typosquatting, brand impersonation, and npm lifecycle hook abuse to trigger code execution during installation.
  • Multiple packages were designed to steal cryptocurrency wallet private keys, mnemonic phrases, SSH keys, cloud credentials, and other developer secrets.
  • The coinbase-wallet-utils and ethers-jss packages focused on reconnaissance, exfiltration, and wallet theft through postinstall and preinstall scripts.
  • The moralis-sdk package acted as a multi-stage downloader that retrieved additional payloads from remote hosting services such as Pastefy and GitHub.
  • Some packages used blockchain-based mechanisms, including Ethereum smart contracts and on-chain transactions, for infrastructure retrieval and credential exfiltration.

MITRE Techniques

  • [T1195.002] Supply Chain Compromise: Compromise Software Dependencies and Development Tools – Malicious npm packages were published to compromise developers through trusted dependencies (‘trojanized npm packages delivered through npm registry’).
  • [T1204.002] User Execution: Malicious File – Installation of the package triggered lifecycle hooks that executed malicious code (‘installation of malicious npm package triggers lifecycle hooks’).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Packages were named to resemble legitimate blockchain tools and libraries (‘typosquatting packages Ganach, Solidty, Stelar-sdk, ethers-jss, coinbase-wallet-utils’).
  • [T1087] Account Discovery – The malware collected usernames and account-related information from infected systems (‘collection of username and account information’).
  • [T1518] Software Discovery – The malware identified development environments and blockchain tooling (‘identification of development environments and blockchain tooling’).
  • [T1213] Data from Information Repositories – The malware searched local config and secret files for sensitive data (‘collection of configuration files, secrets.json, hardhat.config.js, foundry.toml’).
  • [T1552] Unsecured Credentials – The packages harvested secrets from environment variables and configuration files (‘harvesting secrets from environment variables and config files’).
  • [T1528] Steal Application Access Token – The campaign targeted tokens and keys such as NPM_TOKEN, GITHUB_TOKEN, AWS keys, Infura keys, and Alchemy keys (‘theft of NPM_TOKEN, GITHUB_TOKEN, AWS keys, Infura keys, Alchemy keys’).
  • [T1583.001] Acquire Infrastructure: Domains – Attackers used GitHub Codespaces and attacker-controlled infrastructure for command and control (‘GitHub Codespaces and attacker infrastructure’).
  • [T1583.006] Acquire Infrastructure: Web Services – The malware abused legitimate web services like YouTube, Pastefy, GitHub, and npm (‘YouTube, Pastefy, GitHub, npm’).
  • [T1586.001] Compromise Accounts – Stolen SSH keys and cloud credentials could be used to compromise accounts (‘stolen SSH keys and cloud credentials can enable account compromise’).

Indicators of Compromise

  • [SHA1 ] Malicious package archives identified in the campaign – 53b91117db931d3acbbfd15aa8400bb6691e023d, 63154cd9c79f9d14eb9be6c4efc2a778d31646ec, and 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7
  • [SHA256 ] Malicious package archives identified in the campaign – d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44, 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b, and 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26
  • [URL ] Payload hosting and downloader infrastructure – pastefy.app/RhPBKGli/raw, http://193[.]233[.]201[.]21:3001, and 2 more related endpoints
  • [Ethereum address ] On-chain configuration and exfiltration targets – 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, and 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f
  • [Package name ] Malicious npm packages used in the campaign – ethers-jss, coinbase-wallet-utils, moralis-sdk, Ganach, Solidty, and Stelar-sdk
  • [Package name ] Additional malicious Ethereum/Web3 credential harvester packages – hardhat-deploy-utils, web3-deploy-helper, defi-sdk-core, ethers-compat, and ethereum-dev-utils

Read more: https://www.cyfirma.com/research/new-npm-supply-chain-campaign-identified-a-multi-stage-cryptocurrency-malware-with-more-than-2-7-million-downloads/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint