In a recent cybersecurity incident, several longstanding npm packages, some over nine years old, have been compromised to extract sensitive information from developers’ systems. These packages, integral to blockchain development, were found to contain obfuscated scripts designed to harvest data such as API keys, access tokens, and SSH keys.
Compromised Packages and Versions:
– `country-currency-map` (version 2.1.8)
– `bnb-javascript-sdk-nobroadcast` (version 2.16.16)
– `@bithighlander/bitcoin-cash-js-lib` (version 5.2.2)
– `eslint-config-travix` (version 6.3.1)
– `@crosswise-finance1/sdk-v2` (version 0.1.21)
– `@keepkey/device-protocol` (version 7.13.3)
– `@veniceswap/uikit` (version 0.65.34)
– `@veniceswap/eslint-config-pancake` (version 1.6.2)
– `babel-preset-travix` (version 1.2.1)
– `@travix/ui-themes` (version 1.1.5)
– `@coinmasters/types` (version 4.8.16)
These packages were found to contain obfuscated scripts located in `package/scripts/launch.js` and `package/scripts/diagnostic-report.js`. Upon installation, these scripts execute automatically, collecting sensitive data and transmitting it to a remote server at `eoi2ectd5a5tn1h.m.pipedream[.]net`.
Method of Compromise:
Interestingly, the associated GitHub repositories for these packages did not reflect the malicious changes, suggesting that the npm accounts of the package maintainers were compromised. Potential methods of compromise include credential stuffing attacks, where attackers use previously leaked credentials to gain unauthorized access, or the takeover of expired domains associated with the maintainers. Given the simultaneous compromise of multiple packages from different maintainers, it is more likely that the attackers gained access through compromised maintainer accounts rather than coordinated phishing attacks.
Implications and Recommendations:
This incident underscores the critical importance of securing developer accounts with robust measures such as two-factor authentication (2FA) to prevent unauthorized access. It also highlights the challenges in maintaining security for open-source projects, especially those that are no longer actively maintained.
Organizations are advised to implement stringent supply chain security measures and to monitor third-party software registries vigilantly. Prioritizing security at every stage of the development process is essential to mitigate risks associated with third-party dependencies.
