Home Security Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

Malicious npm Packages Target Developers’ Ethereum Wallets with SSH Backdoor

by


Oct 22, 2024Ravie LakshmananVulnerability / Supply Chain

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol.

The packages attempt to “gain SSH access to the victim’s machine by writing the attacker’s SSH public key in the root user’s authorized_keys file,” software supply chain security company Phylum said in an analysis published last week.

The list of packages, which aim to impersonate the legitimate ethers package, identified as part of the campaign are listed as follows –

Some of these packages, most of which have been published by accounts named “crstianokavic” and “timyorks,” are believed to have been released for testing purposes, as most of them carry minimal changes across them. The latest and the most complete package in the list is ethers-mew.

Cybersecurity

This is not the first time rogue packages with similar functionality have been discovered in the npm registry. In August 2023, Phylum detailed a package named ethereum-cryptographyy, a typosquat of a popular cryptocurrency library that exfiltrated the users’ private keys to a server in China by introducing a malicious dependency.

Ethereum Wallets with SSH Backdoor

The latest attack campaign embraces a slightly different approach in that the malicious code is embedded directly into the packages, allowing threat actors to siphon the Ethereum private keys to the domain “ether-sign[.]com” under their control.

What makes this attack a lot more sneaky is the fact that it requires the developer to actually use the package in their code – such as creating a new Wallet instance using the imported package – unlike typically observed cases where simply installing the package is enough to trigger the execution of the malware.

In addition, the ethers-mew package comes with capabilities to modify the “/root/.ssh/authorized_keys” file to add an attacker-owned SSH key and grant them persistent remote access to the compromised host.

“All of these packages, along with the authors’ accounts, were only up for a very short period of time, apparently removed and deleted by the authors themselves,” Phylum said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex