A Phishing email on Monday eliminated one of the most prolific node.js developers by pushing the malicious code to the packets downloaded billions of times a week, in which the researchers call the largest software supply chain in recent times.
While the scope of the attack is massive, Security Alliance said in a Tuesday report that the attacker left with just a few cents. However, security equipment now faces the substantial cost of updating backend systems to counteract more attacks.
A very popular maintainer whose work (like chak and debug-js) It is used in billions of downloads every week, known as “Qix”, head of libraries such as Chalk and Debug-JS, it was compromised last week after receiving an Support@NPMJS email[.]aid. The domain once indicated a Russian server and was redirected to an authentication page of two falsified factors housed in the Bunnycdn content delivery network.
The credential robber reaped the username, password and 2FA codes before sending them to a remote host. With full access, the attacker published each Qix package with a cryptography -centered payload.
The node packaging administrator (shortened to NPM, NO NPM) is like an application store for developers and is where encoders download small blocks of code code (called packages) instead of writing everything from scratch. A maintainer is the person or entity that creates and updates those packages.
How the attack happened
The injected code was simple. Verified if the window. Ethereum was present and, if so, connected to the central transaction functions of Ethereum. Calls to approve, allow, transfer or transfer were silently redirected to a single wallet, “0xFC4A4858BAFEF54D1B1D7697BFB5C52F4C166976”.
Any transaction of Ethereum with value and no data was also redirected. For Solana, the malware overwritten the recipients with a non -valid chain that begins “1911 …”, breaking the transfers directly.
Network requests were also intercepted.
When kidnapping Fetch and XMLHTTPREQUEST, the malware scanned the JSON responses for subcadenas that resemble the wallet addresses and replaced them with one of the 280 alternatives encoded to look deceptively similar.
Impact of the attack
But despite the entire distribution, the impact was insignificant.
The data in the chain shows that the attacker received only about five cents of ether and approximately $ 20 in an ilequida memory that quoted less than $ 600 in volume, according to the report of the Security Alliance.
The popular navigator wallet metamaster also said in X that it was not affected by the NPM supply chain attack, since the wallet blocks its code versions, uses manual and automated controls, and releases updates in stages. It also uses “Lavamoat”, which blocks the malicious code even if you insert, and “blocks”, which quickly marks the directions of the committed wallet, to keep such attacks at bay.
Meanwhile, Ledger CTO Charles Guillemet warned that the malicious code had been pushed to packages with more than one billion downloads and was designed to silently replace the wallet addresses in transactions.
The attack follows another case marked last week by reversinglabs, where NPM packages used Ethereum intelligent contracts to hide malware links, a technique that disguised command and control traffic such as ordinary block chain calls.
