A threat actor, “topnotchdeveloper12,” has deployed three malicious npm packages (crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber) disguised as legitimate cryptographic libraries.
These packages contain spyware-infostealer malware that targets crypto-asset developers, which, distributed through npm and GitHub, exfiltrates sensitive information like credentials, wallet data, and more to C2 servers via HTTP POST requests.
The malicious packages, downloaded over 1,000 times, remain active on the npm registry, posing a significant threat to the software supply chain, especially for developers working in cryptography and blockchain.
Cybercriminals exploited trust in the open-source ecosystem by creating malicious packages disguised as popular libraries like keccak, jsonwebtoken, and bignumber, which contained a hidden Microsoft Store.exe file, which acted as a backdoor for deploying spyware-infostealer malware.
The vulnerability of open-source software supply chains is highlighted by this attack, as is the requirement for enhanced security measures to protect both software developers and end users.
The malware, disguised as a legitimate npm package, targets Windows systems by leveraging the compromised ‘Microsoft Store.exe’ to execute a malicious payload, which steals sensitive user data, including cryptocurrency wallet information and browser credentials.
It achieves persistence by modifying the Windows registry and employs keylogging and clipboard monitoring for surveillance, where the malware specifically targets the MetaMask browser extension, highlighting its intent to compromise cryptocurrency-related data.
The malware exfiltrates sensitive data via HTTP POST requests to a C2 server at 209.151.151[.]172 by employing dynamic endpoint paths for data exfiltration, telemetry, and potential future operations.
By leveraging curl to send heartbeat requests to the C2 server, it provides unique identifiers and status updates, which enables the C2 to track infected systems and potentially deploy additional malicious payloads.
An attacker disguised malicious packages by including links to legitimate GitHub libraries. One package, “crypto-bignumber,” linked to the attacker’s repository containing “bigNumber.exe” by mimicking Microsoft Store.exe’s information stealing but used a separate C2 server at 69.164.209.197.
The C2 server communicated via “/media/itemmedia” and “/timetrack/add” paths, suggesting these functions are crucial, as this secondary C2 server indicates the attacker prioritizes redundancy for continued operation if the main infrastructure fails.
According to Socket, the recent cyberattack poses a significant threat to the crypto-asset ecosystem. By compromising developer credentials and wallet data, attackers can directly steal funds from individuals.
System disruptions and widespread data breaches are two potential outcomes that can result from an infiltration of organizational systems.
The targeting of npm and GitHub, critical platforms for software development, undermines the security of the entire software supply chain, potentially leading to widespread vulnerabilities and exploitation.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/malicious-npm-packages-steal-crypto-developers/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4STIbkOXMM7-CvCVXUcj0XTHlzV2akjxeyWPvhmBOfdQfFYsP9-XI_Jw9hC4BXpTRg9yYLFMEWecivkDXvv3SFNwzgip6X4VCqdaoqk1CFwKBg-L-RJEBXsMt3SHIFytemZEJw_v34REjEsttfnm3OVetp6k17XM9X-_dpuAET7-AssEgJVvlddyc4gte/s16000/Malicious%20NPM%20Packages%20Steal%20Crypto%20Developer%20Credentials.webp?w=1200&resize=1200,0&ssl=1&description=A threat actor, "topnotchdeveloper12," has deployed three malicious npm packages (crypto-keccak, crypto-jsonwebtoken, and crypto-bignumber) disguised as legitimate cryptographic libraries. ){kind=link}