Cryptocurrencies: Ethereum developers targeted by attackers
Criminals have distributed fake NPM packages for the Ethereum development platform Hardhat and tapped into critical data.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Attackers are imitating legitimate plug-ins for the Nomad Foundation's Ethereum development environment Hardhat. They use them to attack developers of software such as smart contracts for the cryptocurrency. The perpetrators are abusing the trust that developers have in open source plug-ins.
As the IT security researchers from Socket write on a blog post, the attack is still ongoing. So far, they have tracked down 20 malicious packages from three programmers, some of which have been downloaded more than a thousand times. The installation of the fake NPM packages leads to the compromise of development environments, possible backdoors in production systems and loss of funds.
Command-and-control structures difficult to disrupt
Attackers use smart contracts for Ethereum to obtain addresses from command-and-control servers. This exploits the decentralized and immutable nature of the blockchain, making it difficult to disable the command-and-control infrastructure. The IT security researchers were able to identify Ethereum wallet addresses associated with this malware campaign.
Videos by heise
To create a legitimate appearance, the criminals used the regular naming of the hardhat plug-ins. For example, Socket names the packages @nomisfoundation/hardhat-configure and @monicfoundation/hardhat-config, which look like original hardhat plug-ins but contain malicious code. The perpetrators also imitate the functions. While a legitimate plug-in is called hardhat-deploy, for example, the name of a malicious plug-in is hardhat-deploy-others.
Like the regular ones, the malicious plug-ins target the deployment process and Ethereum smart contract testing. By hosting on NPM, they abuse the trust of developers in this ecosystem. To exfiltrate sensitive data, the malicious packages use functions such as hreInit() or hreConfig(), while legitimate plug-ins use the Hardhat Runtime Environment (HRE) for valid tasks such as deploying smart contracts or testing.
The socket analysts write that developers must be careful when selecting packages. Developers and organizations should therefore implement stricter testing and monitoring of development environments. The blog post lists 16 malicious packages as well as malicious URLs, crypto keys and Ethereum addresses as indications of infection (Indicators Of Compromise [IOCs]).
Developers of cryptocurrency software are often targeted by attackers. At the end of November, for example, it became known that a developer wanted to program a "bump bot" with ChatGPT. However, the AI built a fraudulent API into the code, resulting in a loss of 2,500 US dollars for crypto enthusiasts.
(dmk)
