NPM attack nets cybercriminals less than $50

Hackers compromised the account of an NPM developer, installing malware in JavaScript libraries downloaded more than two billion times.

According to intelligence platform Security Alliance, the cybercriminals behind the NPM (Node Package Manager) attack have managed to steal less than $50 in cryptocurrency so far.

After breaching the NPM account of Josh Goldberg, a well-known open-source maintainer known as “Qix,” the attack specifically targeted Ethereum and Solana wallets, Security Alliance reported. The attackers injected malware into popular JavaScript libraries already downloaded by over a billion users.

Despite the scale of the attack, the proceeds were meager. Security Alliance identified the Ethereum address “0xFc4a48” as the only malicious address used so far in the operation.

Security researcher Samczsun of SEAL commented:

“You compromise the account of a NPM developer whose packages are downloaded more than 2 billion times per week. You could have unfettered access to millions of developer workstations. Untold riches await you. The world is your oyster. You profit less than 50 USD.”

The expert compared the situation to “finding the keycard to Fort Knox and using it as a bookmark”.

Initially, the attack yielded just five cents in Ether (ETH), later rising to about $20 in the following hours. Data from Etherscan shows that the malicious address also received several memecoins, including Brett (BRETT), Andy (ANDY), Dork Lord (DORK), Ethervista (VISTA), and Gondola (GONDOLA).

The attack affected key packages such as chalk, strip-ansi, and color-convert – small utilities deeply embedded in the dependency trees of countless projects. Even developers who hadn’t installed them directly may have been exposed.

The malware used in the attack appears to be a crypto-clipper, a type of malicious software that replaces wallet addresses during transactions in order to divert funds.

Several wallet providers confirmed they were not compromised. Ledger and MetaMask declared their platforms safe, citing “multiple layers of defense” against such attacks.

Phantom Wallet also confirmed it does not use vulnerable versions of the compromised packages, while Uniswap clarified that none of its applications are at risk. Other platforms and wallets such as Aerodrome, Aqua, BitBox02, Bitcoin Keeper, Blast, Blockstream Jade, Blue Wallet, Bull Bitcoin Wallet, Coldcard, Cove Wallet, Electrum, Foundation Devices, Nunchuk, Revoke.cash, Seedsigner, Sparrow, Specter, and Wasabi Wallet confirmed they were unaffected.

DefiLlama’s pseudonymous founder, 0xngmi, specified that only projects updated after the infected NPM package was published could be at risk. However, even in those cases, users would still need to manually approve the malicious transaction for it to have any effect.

“If you use a hardware wallet, pay attention to every transaction before signing and you’re safe,” said Charles Guillemet, CTO of Ledger.

As a precautionary measure, several experts recommend temporarily avoiding the use of crypto websites until developers have fully cleaned up the compromised packages.

The post NPM attack nets cybercriminals less than $50 appeared first on Atlas21.

Generated by RSStT. The copyright belongs to the original author.

Source