HQ/EMEAFind out how we can help your business
Numerous suspicious packages offered to the npm repository have appeared, allegedly targeting Ethereum Wallets’ private keys and acquiring remote access.
According to reports, these malicious packages seek to obtain SSH access to the targeted devices by writing the attacker’s SSH public key to the root user’s authorized_keys file. The list of packages identified as part of the effort attempts to imitate the authentic keys of at least seven Ether packages. These impersonations or fake packages have already garnered at least 1500 downloads.
Most of these packages, published by accounts named “crstianokavic” and “timyorks,” are thought to have been issued for development reasons, given they include minor changes. As of now, the Ethers-mew is the most recent and complete package on the list.
These new malicious packages are the latest threat to Ethereum users.
This impersonation campaign targeting the Ethereum Wallets is not the first hostile package with identical capabilities found in the npm registry.
In August last year, researchers described a package called Ethereum-cryptography, a misspelling of a famous cryptocurrency library. These packages resulted in users’ private keys being exfiltrated to a server in China. The heist became successful after the hackers established a harmful dependency.
On the other hand, this latest campaign uses a different method since the process used malicious malware attached directly to the packages. Hence, it allowed the threat actors to steal Ethereum private keys to the domain “ether-sign[.]com” under their control.
Furthermore, this attack is even more sneaky because it requires the developer to use the package in their code, such as creating a new Wallet instance using the imported package, as opposed to commonly observed cases where simply installing the package is the only requirement to activate the malware’s execution.
Additionally, the ethers-mew package can alter the “/root/.ssh/authorized_keys” file, adding an attacker-owned SSH key and allowing them to establish persistent remote access to the infected host.
These discoveries show that the threat actor attempts to establish persistence on targeted devices and bypass security systems. Therefore, crypto enthusiasts should be wary of these malicious packages and avoid installing suspicious entities to prevent unwanted events such as asset loss.
