A recent supply chain attack targeted cryptocurrency software developers on the heels of a similar campaign a few weeks ago targeting developers using forks of the Ethers.js library.

Cybersecurity researchers at Phylum reported on October 31 that a threat actor uploaded hundreds of malicious packages to npm, an open source repository used in JavaScript development. The malicious packages have names similar to libraries that are frequently used when working with cryptocurrency. If a developer were to search for a common misspelling of the names of those libraries, they might inadvertently download one of the malicious packages instead.  Those packages connect to a hidden server, fetch a malicious second-stage payload, and infect the developers’ computers, presumably in an effort to steal the cryptocurrency of those developers or their users.

Modern applications are often created out of a long list of open source libraries, and this incident is an important reminder of the risks associated with that approach.  Careful attention to the provenance of libraries that are used, and continuous monitoring for updates and vulnerabilities in those libraries, is an important piece of software security.  Companies that have not paid close attention to this type of risk may want to consider conducting an audit of libraries that are incorporated into their applications.

The Phylum blog post details names, IP addresses, and cryptographic hashes associated with the malicious packages used in this campaign.

Authored by Nathan Salminen and Emma Kotfica.