The attackers impersonate legitimate plugins for the Nomad Foundation’s hardhat Ethereum development environment. In doing so, they attack developers of software such as smart contracts for cryptocurrencies. Criminals abuse developers’ trust in open source plug-ins.
Advertisement
In form of Socket’s IT security researchers in a blog post Write, the attack is still going on. So far they have discovered 20 malicious packages from three programmers, some of which have had over a thousand downloads. Installing fake NPM packages compromises the development environment, introduces potential backdoors into production systems, and leads to loss of money.
Command-and-control structures are difficult to disrupt
Using smart contracts for Ethereum, attackers get the addresses of command and control servers. It takes advantage of the decentralized and immutable nature of blockchain, making it difficult to decommission command-and-control infrastructure. IT security researchers were able to trace Ethereum wallet addresses that are related to this malware campaign.
To appear legitimate, criminals used the regular naming of hardhat plug-ins. socket packet name @nomisfoundation/hardhat-configure And @monicfoundation/hardhat-configWhich function like basic hardhat plugins but contain malicious code. The actions also mimic those of criminals. While regarding a valid plugin hardhat-deploy is the name of a malicious plug-in hardhat-deploy-others,
Like regular plugins, malicious plugins target the deployment process and Ethereum smart contract testing. By hosting on NPM, they are abusing the trust that developers place in this ecosystem. To exfiltrate sensitive data, malicious packages use functions such as hreInit() Or hreConfig()Whereas legitimate plugins use Hardhat Runtime Environment (HRE) for legitimate tasks like deploying smart contracts or testing.
Socket Analyst writes that developers need to be careful when choosing packages. Therefore developers and organizations should implement strict testing and monitoring of development environments. The blog post lists 16 malicious packages as well as malicious URLs, crypto keys, and Ethereum addresses as indicators of compromise (IOCs).
Cryptocurrency software developers are often targeted by attackers. In late November it became known that a developer wanted to program a “bump bot” with ChatGPT. However, the AI built a fraudulent API into the code, causing a loss of $2,500 to a person interested in crypto.
(DMK)
