Malicious npm Packages Target Crypto Developers, Steal Wallet Keys

Severity: High (Score: 66.0)

Sources: Cybersecuritynews, Gbhackers

Summary

Five malicious npm packages have been identified that impersonate popular crypto libraries, specifically targeting developers in the Solana and Ethereum ecosystems. These packages, published under the npm account 'galedonovan', are designed to look like trusted libraries, thereby tricking developers into installing them. Once installed, the packages steal private wallet keys and exfiltrate them to a hardcoded Telegram bot. The attack method involves typosquatting and wrapping legitimate libraries, which increases the likelihood of successful installations. The scope of the impact is significant, as it directly threatens the security of crypto wallets used by developers. The current status indicates that the packages are still available on npm, posing an ongoing risk. Developers are urged to verify their dependencies and remove any suspicious packages immediately. Key Points: • Five malicious npm packages impersonate trusted crypto libraries. • The packages target Solana and Ethereum developers, stealing wallet keys. • Stolen keys are exfiltrated to a hardcoded Telegram bot.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• T1036 - Masquerading (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1195 - Supply Chain Compromise (mitre_attack)
• Npm (tool)
• Telegram Bot (tool)
• Telegram (platform)