By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details.
The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files.
The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.
The list of identified counterfeit packages includes names like @nomicsfoundation/hardhat-config and @monicfoundation/hardhat-config, indicating a systematic approach to deceive users.
Collection
[
|
...
]