Multiple NPM packages designed for blockchain application development have been hijacked to deliver information stealer malware, software supply chain management firm Sonatype reports.
The packages provide legitimate functionality for developers building applications that interact with blockchain services, but their latest versions contain obfuscated scripts, being able to steal sensitive information from the victims’ systems.
With a total combined download count of roughly 500,000 over their entire lifetimes, these packages have been available in the NPM registry for years, one for nearly a decade.
The malicious updates, however, were published recently, with the changes observed only on NPM, while the GitHub repositories remained untouched, Sonatype says.
At least two of the hijacked packages, namely ‘bnb-javascript-sdk-nobroadcast’ and ‘country-currency-map’ have not had new versions published for years, but new releases containing malicious code popped up on NPM for both this week.
The malicious version of ‘country-currency-map’ was deprecated shortly after it was published, with the maintainers recommending the use of the previous version, published five years ago.
In both packages, Sonatype identified highly obfuscated scripts that run during installation, and which collect sensitive information such as system environment variables, which could store access tokens, API keys, SSH credentials, and other data.
Malicious versions of ‘@bithighlander/bitcoin-cash-js-lib’, ‘eslint-config-travix’, ‘@crosswise-finance1/sdk-v2’, ‘@keepkey/device-protocol’, ‘@veniceswap/uikit’, ‘@veniceswap/eslint-config-pancake’, ‘babel-preset-travix’, ‘@travix/ui-themes’, and ‘@coinmasters/types’ were also identified.
The hijacks, the company notes, may have been performed after old maintainer accounts were compromised, likely via credential stuffing.
“Although NPM mandated two-factor authentication (2FA) for high impact projects in 2022 (e.g. authors of NPM packages receiving 1 million weekly downloads or with more than 500 dependents), some authors still need to enroll in two-factor authentication,” Sonatype notes.
Related: Developers Targeted With Malware Disguised as DeepSeek Package
Related: Snyk Says ‘Malicious’ NPM Packages Part of Research Project
Related: Open Source Package Entry Points May Lead to Supply Chain Attacks
Related: Cryptocurrency Wallets Targeted via Python Packages Uploaded to PyPI
