Recent investigations have revealed two separate but related attacks targeting the Ethereum developer community through malicious npm packages.
These attacks involve typosquatting popular Ethereum libraries and inserting malicious code to exfiltrate private keys and compromise developer systems.
Understanding these incidents is crucial for safeguarding projects and personal security in the blockchain ecosystem.
First Attack: Trojanized Ethers Forks Attempting to Steal Private Keys
A series of malicious packages were published on npm impersonating the widely used ethers library, which facilitates interaction with the Ethereum blockchain and has over 1.3 million weekly downloads.
The attacker created packages with names similar to the legitimate library:
These packages contain malicious code designed to:
- 1. Exfiltrate Ethereum Private Keys: When a developer instantiated a new Wallet using the malicious library, the code would send the private key to a remote server controlled by the attacker (https://ether-sign.com/api/checkServer).
- 2. Gain Unauthorized SSH Access: The malware attempted to append the attacker's SSH public key to the root user's authorized_keys file, potentially granting the attacker remote SSH access to the developer's machine.
Technical Details
- Wallet Constructor Modification: The Wallet class in the malicious package includes additional code that calls a function checkAddress with the private key as an argument.
- Layered Indirection: The checkAddress function calls another function checkServer, which makes an HTTP POST request to the attacker's server, sending the private key.
- SSH Key Insertion: A function named superSignKey writes the attacker's SSH public key to the root user's authorized_keys file.
- Obfuscation Tactics: The attacker uses plausible function names and mimics the structure of the legitimate ethers library to avoid detection. The malicious code is spread across multiple files and modules, making it harder to trace.
Indicators of Compromise (IOCs)
- Malicious Domain: ether-sign.com (Registered on October 15, 2023)
- IP Address: 88.99.95.50 (Hosted on Hetzner Online)
- Attacker's SSH Public Key: An SSH key associated with the username cp@DESKTOP-7BQLEIP is inserted into the authorized_keys file.
Second Attack: Typosquat of Ethereum-Cryptography Package Sending Private Keys to Remote Server
An earlier attack involved typosquatting the widely-used ethereum-cryptography package, which has over 1.2 million downloads and contains cryptographic primitives essential for Ethereum development.
The attacker published malicious packages with names similar to the legitimate package:
- `ethereum-cryptographyy (note the extra 'y')`
- `ethereum-cryptographyyy`
Additionally, the attacker created a malicious version of a critical dependency: @jackshanyeshuzi/curvess (typosquat of @noble/curves)
Malicious Activities
- 1. Exfiltration of Private Keys: The attacker modified the cryptographic functions to send private keys to a server located in China (wallet.cba123.cn).
- 2. Maintaining Core Functionality: The malicious packages retained all the legitimate functionalities to avoid raising suspicion, with the only addition being the code that exfiltrates the private key.
- 3. Attempted Obfuscation: In later versions, the attacker attempted to obfuscate the malicious code, although the obfuscation was relatively amateurish and could still be deciphered upon close inspection.
Technical Details
- Modified Dependencies: The attacker changed the package's dependencies to point to the malicious @jackshanyeshuzi/curvess instead of the legitimate @noble/curves.
- Insertion of Malicious Code: Within the cryptographic functions, specifically in files like weierstrass.js, the attacker inserted code that sends the user's private key to the remote server.
- Server Location: The domain wallet.cba123.cn is registered in China, and WHOIS records confirm its location.
Indicators of Compromise (IOCs)
Malicious Domain: wallet.cba123.cn
Affected Packages and Versions: Multiple versions of `ethereum-cryptographyyy` and @jackshanyeshuzi/curvess were published over a short period.
Timeline of Malicious Activity
- August 3, 2023: Initial publication of @jackshanyeshuzi/curvess and ethereum-cryptographyy.
- August 4, 2023: Multiple updates and additional malicious packages published.
The attacker unpublished some packages shortly after publishing them, possibly to avoid detection.
Comparative Analysis
Attack Vectors
Both attacks leveraged typosquatting, creating packages with names similar to popular libraries to deceive developers into installing them.
The attackers exploited the trust developers place in widely-used open-source packages, especially those related to cryptography.
Malicious Payloads
- Private Key Exfiltration: The primary goal in both attacks was to steal Ethereum private keys, which could lead to immediate financial loss and compromise of blockchain assets.
- System Compromise: The first attack also attempted to gain SSH access to the developer's machine, potentially allowing the attacker to execute arbitrary commands and access sensitive data.
Obfuscation Techniques
Both attackers attempted to hide their malicious code within legitimate-looking functions and modules.
They used plausible function names and maintained the overall structure of the original libraries to avoid detection during casual code reviews.
Differences
The first attack was more aggressive in attempting to gain system-level access through SSH key insertion.
The second attack focused solely on exfiltrating private keys and tried to maintain a low profile by keeping the malicious code changes minimal.
Recommendations
1. Vigilance in Dependency Management
- Verify Package Names: Pay close attention to package names to avoid typosquatting traps. Even a single character difference can indicate a malicious package.
- Check Package Metadata: Review the number of downloads, version history, and publisher information. New packages with low download counts and recent publication dates should be treated with caution.
2. Use Trusted Sources
- Official Repositories: Whenever possible, use packages from verified publishers or official repositories.
- Package Signing: Consider using packages that are signed or verified through checksum to ensure integrity.
3. Code Review
- Inspect Dependencies: Before adding new dependencies, especially those handling sensitive operations like cryptography, review the source code if feasible.
- Automated Scanning Tools: Utilize security tools that can automatically scan dependencies for known vulnerabilities or malicious code patterns.
4. Network Monitoring
- Monitor Outgoing Traffic: Use network monitoring solutions to detect and block unauthorized outbound requests to unknown domains.
- Alert on Suspicious Activity: Set up alerts for unusual network activities, such as HTTP requests to domains not associated with your development work.
5. System Security Practices
- Regular Audits: Periodically audit system files like authorized_keys to detect unauthorized modifications.
- Least Privilege Principle: Avoid running development tools and applications with root or administrator privileges unless necessary.
- Update and Patch: Keep your systems and applications updated to protect against known vulnerabilities.
- Report Suspicious Packages: If you discover a malicious package, report it to the package registry and the wider community.
- Stay Informed: Keep abreast of security advisories and reports from reputable sources within the developer community.