A supply chain attack is currently compromising the Ethereum development ecosystem. Malicious npm packages, likely targeting the Nomic Foundation and Hardhat, have infiltrated these platforms.Â
By exploiting the trust developers place in open-source plugins, these packages are exfiltrating sensitive data from developer environments, which includes critical information like private keys, mnemonics, and project configurations, potentially enabling attackers to gain unauthorized control over user accounts, funds, and projects.
Attackers have published malicious npm packages impersonating legitimate plugins, which, once installed, download and execute code from C2 servers whose addresses are dynamically retrieved from Ethereum smart contracts, utilizing the blockchain’s decentralized nature, making disrupting the C2 infrastructure challenging.
The analysis identified specific Ethereum addresses linked to these attacks, including the wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, which is used to retrieve C2 server information from the associated smart contract.
Attackers are exploiting supply chain vulnerabilities by impersonating legitimate software packages and organizations, as they create malicious packages with names closely resembling genuine ones, such as “@nomisfoundation/hardhat-configure” and “@monicfoundation/hardhat-config,” designed to appear as authentic Hardhat plugins.
These deceptive packages, when installed, introduce malicious code into the development environment, potentially compromising the integrity and security of the entire software project, highlighting the critical need for robust package validation and dependency management mechanisms to mitigate the risks associated with supply chain attacks.
Malicious Hardhat packages mimic legitimate plugins by adopting similar names, offering seemingly useful functionalities, and targeting critical development stages like deployment and testing.
They leverage the trust developers place in the npm ecosystem and abuse the Hardhat Runtime Environment (HRE) to access sensitive information, such as private keys or deployment configurations, through functions like `hreInit()` or `hreConfig()`, which allows malicious actors to compromise development environments and potentially steal valuable assets or disrupt projects.
An attacker can exploit a Hardhat environment vulnerability to steal sensitive data like mnemonics and private keys. The script extracts this information and encrypts it with a predefined AES key. Finally, the attacker exfiltrates the encrypted data to a malicious server endpoint, compromising the security of the project’s digital assets.Â
Compromised Hardhat packages exploit the runtime environment, specifically the hreInit() and hreConfig() functions, to steal sensitive information like private keys and mnemonics.
They leverage hardcoded keys and Ethereum addresses to exfiltrate this data to their own endpoints, which jeopardizes the open-source ecosystem and carries the risk of deploying malicious contracts to the Ethereum mainnet, potentially causing significant damage.
According to Socket, this malicious campaign within the open-source ecosystem underscores the importance of rigorous package selection. To mitigate such threats, developers and organizations must implement stricter auditing and monitoring procedures.Â
By installing the free Socket for GitHub app, developers can leverage AI-powered threat detection, which identifies and prevents various supply chain risks, including malicious packages and 70+ other indicators, from entering their development environments.
