Hackers have hacked the account of a well-known developer under the nickname qix and embedded malicious code in all NPM packages by this author. Among the infected JavaScript libraries were such extremely popular ones as chalk and debug-js. Together, they have more than 2 billion downloads per week. This cyberattack can be called the largest attack on the supply chain in history.
The author of the packages was compromised by a phishing email sent from support@npmjs[.]help. At the time of writing, this domain is no longer available. The email contained a link that downloaded content from two BunnyCDN bins controlled by the attacker. One of the downloaded scripts was a credential stealer that stores username, password, and 2FA code and sends them to a remote host at websocket-api2.publicvm[.]com. After the account is compromised, the attacker updates all packages and embeds the cryptocurrency stealer. This malware only attacks desktops and checks if window.ethereum exists, and if so, installs interceptors on the request, send, and sendAsync functions. It also overwrites the fetch and XMLHttpRequest.prototype.open and XMLHttpRequest.prototype.send functions. If window.ethereum is found, the malicious script intercepts both Ethereum and Solana requests. In the case of Ethereum, it automatically overwrites the destination address of any call to the attacker’s wallet.
So far, hackers have managed to steal only $50 worth of cryptocurrency. The malware was configured to steal saves from Ethereum and Solana wallets.
“Imagine compromising the NPM account of a developer whose packages are downloaded more than 2 billion times a week. You could have unlimited access to millions of developer workstations. Untold riches await you. The world is at your fingertips. And you earn less than $50,” Security Alliance joked.
For some reason, the hacker took advantage of the access. The malware was almost completely neutralized. Although the day before, Security Alliance researchers had mentioned a figure of $0.05, which rose to $50 in a few hours. This means that the number of victims could potentially increase over time.
So far, the criminals have only used the memecoins Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).
If you used packages from qix:
- Check local node_modules for malware: grep -R ‘checkethereumw’
- Check the npm cache with of this script by phxgg
- Check the project with of this script by AndrewMohawk
Source: Security Alliance
Spelling error report
The following text will be sent to our editors: