9-Year-Old npm Packages Hijacked to Steal API Keys via Obfuscated Scripts

Introduction

Cybersecurity researchers have uncovered a large-scale supply chain attack in which nine-year-old npm packages were hijacked to exfiltrate API keys, access tokens, and SSH keys from compromised systems. The attack specifically targeted cryptocurrency-related npm packages, exploiting their long-standing reputation to distribute malicious versions laden with obfuscated scripts.

Hijacked npm Packages

The compromised packages and their malicious versions include:

• country-currency-map (2.1.8)
• bnb-javascript-sdk-nobroadcast (2.16.16)
• @bithighlander/bitcoin-cash-js-lib (5.2.2)
• eslint-config-travix (6.3.1)
• @crosswise-finance1/sdk-v2 (0.1.21)
• @keepkey/device-protocol (7.13.3)
• @veniceswap/uikit (0.65.34)
• @veniceswap/eslint-config-pancake (1.6.2)
• babel-preset-travix (1.2.1)
• @travix/ui-themes (1.1.5)
• @coinmasters/types (4.8.16)

These packages have been available on npmjs.com for over nine years, providing legitimate functionality to blockchain developers. However, the latest versions were injected with malicious scripts designed to steal sensitive information.

Malicious Code Execution

Upon installation, the infected packages automatically execute obfuscated JavaScript code embedded in the following scripts:

• package/scripts/launch.js
• package/scripts/diagnostic-report.js

These scripts:

• Harvest sensitive information: They collect API keys, SSH keys, and access tokens from the compromised system.
• Exfiltrate stolen data: The data is sent to a remote server (eoi2ectd5a5tn1h.m.pipedream[.]net).
• Evade detection: The obfuscation techniques make the malicious code difficult to identify, allowing it to persist undetected.

Suspicious GitHub Repositories

Interestingly, none of the GitHub repositories linked to the hijacked libraries contained the malicious code. This suggests that the threat actors injected the malicious scripts directly into the npm registry, bypassing the GitHub repositories.

Potential Attack Vectors

Researchers speculate that the attackers likely gained access to npm maintainer accounts through:

1. Credential stuffing attacks: Using stolen credentials from previous data breaches to access npm maintainer accounts.
2. Expired domain takeover: Gaining control of abandoned or expired domains linked to the package maintainers.

The coordinated attack on multiple projects from different maintainers suggests that account takeovers are the most probable cause.

Security Risks and Implications

The compromised npm packages pose significant risks to developers and organizations relying on them, including:

• Data exfiltration: Sensitive data such as API keys and SSH keys could be stolen, potentially granting attackers access to production environments.
• Cryptocurrency theft: Given the focus on blockchain-related packages, attackers may use the stolen credentials to steal crypto assets or execute unauthorized transactions.
• Supply chain attacks: Threat actors could exploit the hijacked npm packages to compromise downstream applications, spreading the impact further.

Mitigation and Recommendations

To protect against such attacks, developers and organizations should:

• Enable two-factor authentication (2FA): Secure npm accounts with 2FA to prevent unauthorized access.
• Verify package integrity: Use package integrity verification tools to detect any tampering or malicious modifications.
• Monitor third-party dependencies: Regularly review and audit third-party packages for suspicious updates.
• Use automated dependency scanning tools: Tools like Snyk, Dependabot, and npm audit can identify vulnerabilities in packages.
• Lock package versions: Specify specific, trusted versions of dependencies in package.json to prevent automatic installation of compromised versions.

Conclusion

The recent hijacking of long-standing npm packages highlights the growing threat of supply chain attacks in the software ecosystem. With attackers exploiting abandoned or vulnerable accounts, it is essential for developers and organizations to adopt stronger security measures and closely monitor third-party dependencies. By staying vigilant and implementing best practices, organizations can reduce the risk of supply chain compromise and protect sensitive information.