A malicious npm package, @ton-wallet/create, has been discovered, stealing mnemonic phrases from users in the TON ecosystem. This impersonation of the legitimate @ton/ton package poses serious supply chain security risks for developers and users alike. The package remains live after six months, exposing a significant number of TON users to financial theft. Affected: TON ecosystem, blockchain developers, crypto wallet users
Keypoints :
- The Socket Research Team identified a malicious npm package, @ton-wallet/create, which steals mnemonic phrases.
- The package impersonates the legitimate @ton/ton package, thereby gaining credibility among developers.
- It has been live for six months, unnoticed in the JavaScript ecosystem.
- It targets the process.env.MNEMONIC variable to steal sensitive data.
- The potential impact includes financial theft for blockchain developers and crypto wallet users.
- The malicious package communicates with an attacker’s Telegram bot to exfiltrate stolen mnemonic information.
- Mitigation strategies include regular auditing of dependencies, usage of security tools, and reporting the malicious package to npm for removal.
MITRE Techniques :
- MitRE Technique: T1071 – Application Layer Protocol
– Procedure: The malicious package uses the Telegram API to send stolen mnemonic phrases to the attacker’s Telegram bot. - MitRE Technique: T1083 – File and Directory Discovery
– Procedure: The malicious code is found within specific files of the @ton-wallet/create package, allowing for the discovery of environment variables.
Indicator of Compromise :
- [Malicious Package] @ton-wallet/create
- [Bot Token] 7493700888:AAGJ5nyXemePuHqleSOqkIM23Yhs0o01q-Q
- [Chat ID] -1002197015763
- [Known Malicious File Path] index.js (within @ton-wallet/create package)
- [Known Malicious File Path] dist/index.js (within @ton-wallet/create package)
Full Story: https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-steals-cryptocurrency-wallet-keys