6 Jan at 07:37

Ethereum Devs under Attack: Fake Hardhat npm Packages Deployed by Hackers

Cybersecurity researchers have uncovered several malicious packages on the npm registry, which impersonate the Nomic Foundation’s Hardhat tool to steal sensitive data from developer systems.

The Socket research team explained, “Attackers exploit trust in open-source plugins to infiltrate platforms using malicious npm packages. These packages exfiltrate critical data, including private keys, mnemonics, and configuration details.”

Hardhat, a development environment for Ethereum software, integrates tools for editing, compiling, debugging, and deploying smart contracts and decentralized apps (dApps).

The identified counterfeit packages include:

nomicsfoundations
@nomisfoundation/hardhat-configure
installedpackagepublish
@nomisfoundation/hardhat-config
@monicfoundation/hardhat-config
@nomicsfoundation/sdk-test
@nomicsfoundation/hardhat-config
@nomicsfoundation/web3-sdk
@nomicsfoundation/sdk-test1
@nomicfoundations/hardhat-config
crypto-nodes-validator
solana-validator
node-validators
hardhat-deploy-others
hardhat-gas-optimizer
solidity-comments-extractors

Among these, @nomicsfoundation/sdk-test has drawn significant attention, with 1,092 downloads since its publication in October 2023. After installation, these packages harvest sensitive information, such as mnemonic phrases and private keys, from the Hardhat environment and transmit it to an attacker-controlled server.

How does it work?

The attack initiates when compromised packages are installed. These packages exploit the Hardhat runtime environment by using functions like hreInit() and hreConfig() to gather private keys, mnemonics, and configuration files. The stolen data is then sent to attacker-controlled endpoints using hardcoded keys and Ethereum addresses for efficient exfiltration.

This disclosure follows the recent discovery of another malicious npm package, ethereumvulncontracthandler, which masquerades as a library for detecting vulnerabilities in Ethereum smart contracts. Instead, it delivers the Quasar RAT malware.

Furthermore, recent months have revealed malicious npm packages leveraging Ethereum smart contracts for command-and-control (C2) server address distribution. These efforts have turned infected machines into a blockchain-powered botnet called MisakaNetwork, linked to a Russian-speaking threat actor known as “_lain.”

“The threat actor highlights a fundamental complexity of the npm ecosystem,” Socket noted. “Packages often rely on numerous dependencies, creating a convoluted ‘nesting doll’ structure ripe for exploitation.”

The dependency chain in software ecosystems complicates comprehensive security reviews, creating opportunities for attackers to inject malicious code. The threat actor “_lain” openly admitted to exploiting this complexity, capitalizing on the impracticality of developers scrutinizing every package and dependency within the npm ecosystem.

However, this issue extends beyond npm. A series of fake libraries uncovered across the npm, PyPI, and RubyGems ecosystems have been found using out-of-band application security testing (OAST) tools, such as oastify.com and oast.fun, to exfiltrate sensitive data to attacker-controlled servers.

The identified packages include:

adobe-dcapi-web (npm): Avoids compromising endpoints in Russia while collecting system information from Windows, Linux, and macOS.
monoliht (PyPI): Gathers system metadata from targeted machines.
chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems): Contain embedded scripts that exfiltrate sensitive information through DNS queries directed to an oastify.com endpoint.

“The same tools and techniques designed for ethical security assessments are being misused by threat actors,” noted Kirill Boychenko, a researcher at Socket. “Originally intended to identify vulnerabilities in web applications, OAST methods are now being exploited to steal data, establish command-and-control (C2) channels, and execute multi-stage attacks.”