Hacker targets ETH and SOL devs via typosquat npm packages

Ethereum and Solana developers were targeted by five malicious npm packages that steal private keys and send them to the attacker. The packages rely on typosquatting, mimicking legitimate crypto libraries.

Security researchers from Socket found the five malicious npm packages published under a single account. The malicious campaign covers the Ethereum and Solana ecosystems, with active command and control (C2) infrastructure.

One of the packages was unpublished within five minutes, but it hid its code and sent stolen data to the attacker.

Hackers target Ethereum and Solana devs

Crypto hackers do not only target retail investors and the elderly. They rely on social engineering tactics and typosquatting to trick developers and steal their crypto.

Typosquatting is a tactic where attackers create fake packages with names similar to popular libraries. Developers may accidentally install these malicious packages, thinking they are legitimate.

The job of the malicious packages is to divert keys to a hardcoded Telegram bot.

The malicious npm attack works by hooking functions that developers use to pass private keys. When a function is called, the package sends the key to the attacker’s Telegram bot before returning the expected result. This makes the attack invisible to the unaware devs.

According to security researchers, four packages target Solana developers, while one targets Ethereum developers.

Malicious npm packages vs. legitimate crypto libraries. Source: Socket.

The four packages targeting Solana intercept Base58 decode() calls, while the ethersproject-wallet package targets the Ethereum Wallet constructor.

All of the malicious packages rely on global fetch, which requires Node.js 18 or later. On older versions, the request fails silently, and no data is stolen.

All packages send data to the same Telegram endpoint. The bot token and chat ID are hardcoded in every package, and there is no external server, so the channel works as long as the Telegram bot stays online.

The raydium-bs58 package is the simplest. It modifies a decode function and sends the key before returning the result. The README is copied from a legitimate SDK, and the author field is empty.

The second Solana package, base-x-64, hides the payload with obfuscation. The payload sends a message to Telegram with the stolen key.

The bs58-basic package contains no malicious code itself but it depends on base-x-64 and passes the payload through the chain.

The Ethereum package, ethersproject-wallet package, copies a real library, @ethersproject/wallet. The malicious package inserts one extra line after compilation. The change appears only in the compiled file, which confirms manual tampering.

All packages share the same command endpoint, typos, and build artifacts. Two packages use identical compiled files. Another package depends directly on the other. These links point to a single actor using the same workflow.

Takedown requests have been submitted to npm by security researchers. Private keys lost to this attack are compromised and any associated funds should be moved quickly to a new wallet.

Hackers continue to target crypto devs. According to Cryptopolitan, hackers managed to infect 178 macOS devs through a fake OpenClaw installer. The fake installer, dubbed GhostClaw was listed on the npm registry for a while before being removed. It was designed to steal private keys, seed phrases, and other sensitive data.

Source