Hackers added backdoors to at least 18 JavaScript code npm packages — their malware was aimed at stealing Ethereum, Bitcoin, Solana, and Tron cryptocurrencies. How did this happen?
Hackers added backdoors to at least 18 JavaScript code npm packages — their malware was aimed at stealing Ethereum, Bitcoin, Solana, and Tron cryptocurrencies. How did this happen?
The attackers managed to hijack the accounts of the administrator of these packages, Josh Junon (qix), who received a phishing email from the address [email protected], a domain hosting a website that pretends to be the real npmjs.com, Bleeping Computer reports.
«Sorry everyone, I should have been more considerate. It’s not like me; I’ve had a busy week. I’ll make an effort to fix it,» Junon wrote.
Several other developers reported receiving a similar message as well.
npm (Node Package Manager) is a package manager for the JavaScript programming language. Josh Junon contributed to at least 80 npm packages on GitHub. He identified 18 packages that were affected, and he said the attack was targeted and targeted at packages with a high number of downloads.
Charlie Eriksen, a security researcher at Aikido Security, said the company discovered the attack on September 8.
«The packages were updated to contain a piece of code that would execute on the website client, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to accounts controlled by the attackers without any obvious signs to the user,» Eriksen said.
The npm security team and other project administrators reportedly began removing the compromised code within hours of the attack. The attackers likely did not receive any funds from this attack.
