Ethical Hacking News
A new campaign has emerged in the world of cybersecurity that targets Ethereum wallets with SSH backdoors via malicious npm packages. The affected packages include ethers-mew, ethers-web3, and others, which aim to impersonate legitimate Ethereum packages. This attack campaign requires developers to use the package in their code, making it even more challenging for security teams to detect and respond to the threat.
Suspicious npm packages have been discovered that aim to harvest Ethereum private keys and gain remote access via SSH. The affected packages include ethers-mew, ethers-web3, ethers-6, ethers-eth, ethers-aaa, ethers-audit, and ethers-test. Most of the packages were published by accounts "crstianokavic" and "timyorks", believed to be part of the campaign. The attack requires developers to use the package in their code, making it harder for security teams to detect and respond to the threat. The packages were removed quickly after being discovered, suggesting the authors may have been unwitting accomplices.
The world of cybersecurity is a complex web of threats, vulnerabilities, and exploits that can bring even the most secure systems to their knees. In recent times, a new threat has emerged that has left experts scratching their heads in awe – malicious npm packages designed to harvest Ethereum private keys and gain remote access to machines via SSH.
According to a report published by Phylum, a software supply chain security company, a number of suspicious packages have been discovered on the npm registry. These packages aim to impersonate legitimate Ethereum packages and are believed to be part of a campaign that targets developers' Ethereum wallets with SSH backdoors. The list of affected packages includes ethers-mew, ethers-web3, ethers-6, ethers-eth, ethers-aaa, ethers-audit, and ethers-test.
It is worth noting that most of these packages were published by accounts named "crstianokavic" and "timyorks", which are believed to be part of the campaign. However, it is also reported that some of these packages carry minimal changes across them, suggesting that they may have been released for testing purposes.
The latest and most complete package in the list is ethers-mew, which contains capabilities to modify the "/root/.ssh/authorized_keys" file to add an attacker-owned SSH key and grant them persistent remote access to the compromised host. This makes it significantly more difficult for developers to detect and respond to the threat.
What makes this attack campaign particularly sneaky is that it requires the developer to actually use the package in their code – such as creating a new Wallet instance using the imported package – unlike typically observed cases where simply installing the package is enough to trigger the execution of the malware. This added layer of complexity makes it even more challenging for security teams to detect and respond to the threat.
According to Phylum, all of these packages, along with the authors' accounts, were only up for a very short period of time. It appears that the authors themselves removed and deleted the packages, suggesting that they may have been acting as unwitting accomplices in the campaign.
The discovery of this malicious npm package is just another example of the growing threat landscape of supply chain attacks. These types of attacks often go undetected for a long time, allowing attackers to gain access to sensitive systems and data without being detected.
In conclusion, the emergence of malicious npm packages designed to harvest Ethereum private keys and gain remote access to machines via SSH is a serious threat that should not be taken lightly. Developers must be vigilant and ensure that they are using secure and up-to-date packages, while security teams must be on high alert for any signs of suspicious activity.
Related Information:
https://thehackernews.com/2024/10/malicious-npm-packages-target.html
https://blog.phylum.io/trojanized-ethers-forks-on-npm-attempting-to-steal-ethereum-private-keys/
https://www.impactcybertrust.org/dataset_view?idDataset=1293
Published: Tue Oct 22 06:50:10 2024 by llama3.2 3B Q4_K_M
