Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions

The NPM (node packet manager) account of developer ‘qix’ was compromised, allowing hackers to publish malicious versions of his packages.

The attackers published malicious versions of dozens of extremely popular JavaScript packages, including fundamental utilities. The hack was massive in scope since the affected packages have over 1 billion combined weekly downloads.

This attack on the software supply chain specifically targets the JavaScript/Node.js ecosystem.

Crypto Clipper Malware

The malicious code was a “crypto-clipper” designed to steal cryptocurrency by swapping wallet addresses in network requests and hijacking crypto transactions directly. It was also heavily obfuscated to avoid detection.

The crypto-stealing malware has two attack vectors. When no crypto wallet extension is found, the malware intercepts all network traffic by replacing the browser’s native fetch and HTTP request functions with extensive lists of attacker-owned wallet addresses.

Using sophisticated address swapping, it employs algorithms to find replacement addresses that look visually similar to legitimate ones, making the fraud nearly impossible to spot with the naked eye, said cybersecurity researchers.

If a crypto wallet is found, the malware intercepts transactions before signing, and when users initiate transactions, it modifies them in memory to redirect funds to attacker addresses.

The attack targeted packages such as ‘chalk,’ ‘strip-ansi,’ ‘color-convert,’ and ‘color-name,’ which are core building blocks buried deep in the dependency trees of countless projects.

The attack was discovered accidentally when a build pipeline failed with a “fetch is not defined” error as the malware attempted to exfiltrate data using the fetch function.

“If you use a hardware wallet, pay attention to every transaction before signing, and you’re safe. If you don’t use a hardware wallet, refrain from making any on-chain transactions for now,” advised Ledger CEO Charles Guillemet.

Broad Attack Vector

While the malware’s payload specifically targets cryptocurrency, the attack vector is much broader. It affects any environment running JavaScript/Node.js applications, such as web applications running in browsers, desktop applications, server-side Node.js applications, and mobile apps using JavaScript frameworks.

So a regular business web application could unknowingly include these malicious packages, but the malware would only activate when users interact with cryptocurrency on that site.

Uniswap and Blockstream were among the first to reassure users that their systems were not at risk.

The post Crypto-Stealing Malware Infiltrates Core JavaScript Libraries Used by Millions appeared first on CryptoPotato.