Crypto wallets targeted in widespread hack of npm, GitHub

A phishing campaign against maintainers at the repos resulted in malware distribution via Javascript in top open-source packages.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
code and bitcoin

Security experts are warning of widespread phishing attacks that have compromised the accounts of prominent open-source software (OSS) developers. The campaign has placed malicious code designed to steal cryptocurrency into widely used OSS packages that account for billions of downloads each month. 

As of this writing, scores of leading developers on OSS platforms including GitHub and npm appear to have been compromised in a coordinated campaign of phishing attacks. The full extent of the campaign is unclear, but a large number of widely used OSS packages appear to have been affected in attacks bearing a close resemblance to the eslint compromise of the maintainer of popular npm packages in July. 

Here's what you need to know about the hacks.

Spectra Assure Community: Find the best building blocks for your next app

Compromised packages with billions of downloads

The incident first came to light after Josh Junon, a highly-respected developer with the handle ~qix acknowledged on Monday that his npm account was hacked via a phishing attack involving a fake two-factor authentication (2FA) email that “looked shockingly authentic.” Shortly thereafter, security researchers notified Junon that his account was linked to malicious code updates to packages he helped maintain. 

Junon is a contributor to some of the most widely used OSS packages on npm, which receive more than 11 billion monthly downloads. Based on analysis by ReversingLabs (RL) and others, many of the most widely used packages that Junon maintained were compromised in the attack. Among them are six packages with between 1 billion and 1.6 billion monthly downloads: ansi-styles, debug, chalk, supports-color, strip-ansi and ansi-regex

At the time of writing, RL has confirmed 18 distinct npm packages compromised following the takeover of the ~qix maintainer account.

Compromised npm packages

Analysis of the affected packages revealed suspicious behaviors including the presence of obfuscated code, as well as the presence of files with behaviors associated with malicious software. 

A deeper analysis revealed the affected packages were modified to include a heavily-obfuscated malicious Javascript that is designed to steal funds from Bitcoin, Ethereum, Solana and other cryptocurrency wallets, an RL analysis found. 

Secure.Software Chalk npm file

Specifically, the code is designed to monitor web requests for crypto wallet-related interactions and replace legitimate recipient wallet addresses with a predefined set of malicious (aka “drainer”) crypto wallet addresses that are hard-coded into the malicious code. The malicious addresses identified in the code are listed here

Phishing for (open-source) gold

In a post on Bluesky on September 8, Junon said that his account was hacked after receiving an email from the address support (at) npmjs.help asking “all users to update their Two Factor Authentication (2FA) credentials” and claiming that “our records indicate that it has been over 12 months since your last 2FA update.” 

The message included a hyperlink to reset the credentials. An analysis by the security firm Aikido found that the npmjs.help phishing domain was registered on September 5. Junon wrote on Monday that he had contacted npm regarding the compromise but had been locked out of his maintainer account by the attack. 

As security researchers scrambled to assess the damage from the attacks, evidence that other developer accounts had also been compromised began to emerge. Researchers at Aikido wrote that they detected another package, proto-tinker-wc, containing the same malicious code. Further analysis revealed that a maintainer of that account, ~eswat2, may also have been compromised.  

RL found hundreds of packages on GitHub associated with scores of developers that contain the malicious code associated with the attackers who targeted ~qix. Those include commonly used code such as the Orange Design Charts (ods-charts) library, created by Orange Open Source. In all, more than 550 files on GitHub were found to contain a hash associated with the malicious code associated with the latest campaign. 

While the full extent of the hacks and affected packages have yet to be determined, security experts say that the vast reach of the affected packages will touch most developers. “There's no one that's building code with npm packages that isn't possibly affected by this,” said Tomislav Peričin, co-founder and chief software architect at RL, in response to the compromise of the ~qix maintainer account. 

There's no one that's building code with npm packages that isn't possibly affected by this.

Tomislav Peričin

An early warning of eslint-config-prettier?

Though unmatched in scope, the attacks on Monday follow the broad outlines of an attack RL detected in July, in which a phishing attack on an npm developer resulted in the compromise of eslint-config-prettier — an npm package with over 3.5 billion downloads and 12,000 dependent packages. 

In that case, malicious actors gained access to the maintainer’s account via a sophisticated phishing scheme that spoofed an npm support email and phishing website, npmjs (dot) org, that mimicked the actual npmjs.com website. The attack resulted in the theft of the maintainer’s credentials, which was followed by the publication of malicious versions of eslint-config-prettier, synckit, @pkgr/core and napi-postinstall

Those compromised packages contained a post-install script that installed a Portable Executable (PE) DLL embedding the Scavenger remote access trojan (RAT), enabling infection of Windows development environments. Following detection by researchers at Socket and RL, npm was notified and the malicious versions were pulled within about two hours. Still, the widespread use of the affected packages and the widespread practice of automatically applying package updates made the actual impact of the compromise unclear. 

Recommendations

Developers can assess the security grade of packages via RL's Spectra Assure Community portal at secure.software. Compromised packages should be deleted from the affected project and dependencies. 

Cryptocurrency users concerned they may be vulnerable to attacks via compromised crypto applications and websites are advised to disconnect their crypto wallets from any affected websites immediately, revoke approvals for any tokens on that wallet and transfer funds to a new, secure wallet.

RL is continuing to monitor the situation and will update this post as new information becomes available.

Back to Top