Cybersecurity researchers have uncovered that multiple cryptocurrency-related packages on the npm registry have been hijacked with malicious obfuscated scripts designed to harvest sensitive data such as API keys and SSH tokens. These packages, some of which have existed for over nine years, remain functional for legitimate developers but contain hidden threats activated upon installation. Investigation into these incidents raises concerns about how the attack vector was executed, with speculations pointing towards compromised old maintainer accounts and vulnerabilities within the npm system that could have facilitated such attacks.
Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems.
The affected packages and their hijacked versions are listed, revealing long-standing npm packages providing legitimate functionality before being poisoned with obfuscated code.
Interestingly, none of the GitHub repositories associated with the libraries have been modified to include the same changes, raising questions about how the threat actors managed to push malicious code.
We hypothesize the cause of the hijack to be old npm maintainer accounts getting compromised, exposing the vulnerabilities within the npm ecosystem.
Collection
[
|
...
]