In a concerning discovery, cybersecurity researchers have identified multiple compromised cryptocurrency packages on the npm registry that are being used to steal sensitive information from affected systems. Several packages, some of which have existed on npmjs.com for over nine years, were found to contain malicious code despite providing legitimate blockchain development functionality.
The attack targeted eleven npm packages including widely-used ones like country-currency-map, eslint-config-travix, and various cryptocurrency-related libraries. The malicious actors inserted heavily obfuscated code into two specific scripts that activate upon package installation.
These scripts, found in "package/scripts/launch.js" and "package/scripts/diagnostic-report.js", were engineered to collect sensitive data including API keys, access tokens, and SSH keys before transmitting them to a remote server.
A notable aspect of this attack is that the associated GitHub repositories remain unmodified, suggesting the threat actors focused solely on compromising the npm packages. The exact method of compromise remains under investigation, though researchers suspect either credential stuffing attacks or expired domain takeovers as likely vectors.
The timing of these attacks across multiple distinct projects points toward compromised maintainer accounts as the most probable explanation, rather than coordinated phishing attempts.
This incident exposes ongoing challenges in open-source security, particularly for projects that are no longer actively maintained. Security experts recommend implementing two-factor authentication to protect against account takeovers and emphasize the need for enhanced monitoring of third-party software registries.
The investigation continues as researchers work to determine the ultimate objective behind this coordinated attack on the npm ecosystem.