Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets
A fresh wave of supply chain attacks is putting blockchain developers, Web3 teams, and cloud engineers at serious risk.
Researchers have uncovered a coordinated campaign involving multiple malicious packages on the npm registry, each designed to quietly steal sensitive secrets the moment a developer installs them.
From SSH private keys to cloud credentials, wallet phrases to API tokens, this campaign leaves almost no secret untouched.
What makes this effort particularly alarming is its scale. One package at the center of the investigation, moralis-sdk, had accumulated more than 2.7 million downloads by the time researchers flagged it.
That reach means the malicious code may have already touched thousands of developer workstations, CI/CD pipelines, and cloud environments without anyone realizing it.
Analysts at Cyfirma identified the campaign after spotting two suspicious packages, ethers-jss and coinbase-wallet-utils, both built to impersonate legitimate Ethereum development tools.
Through deeper investigation, they linked eleven highly suspicious npm packages to the same operation, as the researchers at Cyfirma said in a report shared with Cyber Security News (CSN).
The packages were not all built the same way. Cyfirma’s research revealed four distinct operational clusters, each targeting developers through a different method.
Some abused npm lifecycle hooks to auto-execute malicious code during install, while others relied on obfuscated loaders and Ethereum smart contracts to retrieve command-and-control addresses without hard-coding anything obvious.
Together, these packages recorded more than 2.72 million combined downloads, making this one of the more impactful npm supply chain campaigns seen recently.
Active download activity during the investigation confirmed that several packages were still reaching new victims even after discovery.
Malicious npm Campaign
The infection method was deceptively simple. Each package used npm lifecycle scripts, either preinstall or postinstall hooks, to trigger malicious code the moment a developer ran an install command. No extra steps were needed on the victim’s side.
The ethers-jss package acted as a malicious wrapper around the real ethers library. Once installed, it intercepted wallet creation and recovery functions to capture private keys and mnemonic phrases, sending them to an attacker-controlled server on GitHub Codespaces.
It also included a Python script named docker_hunter.py, which performed OSINT-style lookups on Docker Hub repositories tied to blockchain tools.
The coinbase-wallet-utils package focused on reconnaissance, collecting the victim’s hostname, username, environment variables, and working directory, then exfiltrating everything silently using curl.
A separate cluster of five packages published by the npm user ethcompat went further, encrypting stolen credentials with AES-256-GCM and embedding them inside Ethereum blockchain transactions sent to an attacker-controlled wallet, turning the victim’s own wallet into the exfiltration channel.
The moralis-sdk package was particularly crafty. It started as a clean copy of the legitimate Moralis SDK in October 2025, then was weaponized through an update that added a heavily obfuscated postinstall.js file.
That file used a YouTube page as a remote activation switch and only delivered its payload if a hidden marker was found, giving the attacker remote control over when the malware activated.
Blockchain Infrastructure and Attribution Clues
Three typosquatting packages, ganach, solidty, and stelar-sdk, added another layer of innovation. Instead of hard-coding a server address, these packages queried an Ethereum smart contract to retrieve infrastructure details dynamically.
The malware then downloaded platform-specific binaries for Windows, Linux, or macOS depending on the victim’s system.
Researchers also found several attribution hints. The accounts used to publish the packages had randomly generated names, a common tactic to avoid being traced.
Deobfuscated code contained Russian-language comments and variable names, pointing to a financially motivated actor with experience in cryptocurrency-related cybercrime, though no specific group was formally named.
Cyfirma recommends running installs with the flag npm install –ignore-scripts to block automatic script execution.
Organizations should also deploy Software Composition Analysis tools, avoid storing private keys or seed phrases in plaintext, and rotate any exposed credentials immediately.
Developers in Web3 environments should verify publisher identity, download history, and repository ownership before adding any unfamiliar package to their project.
Indicators of Compromise (IoCs):-
| # | Type | Indicator | Description |
|---|---|---|---|
| 1 | SHA1 | 53b91117db931d3acbbfd15aa8400bb6691e023d | ethers-jss package archive |
| 2 | SHA256 | d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44 | ethers-jss package archive |
| 3 | SHA1 | 63154cd9c79f9d14eb9be6c4efc2a778d31646ec | coinbase-wallet-utils package archive |
| 4 | SHA256 | 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b | coinbase-wallet-utils package archive |
| 5 | SHA1 | 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7 | moralis-sdk v1.0.1 package archive |
| 6 | SHA256 | 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26 | moralis-sdk v1.0.1 package archive |
| 7 | SHA1 | fcc8a542aad41e758cf6c18571048890be53808e | ganach package archive |
| 8 | SHA256 | 7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda | ganach package archive |
| 9 | SHA1 | 70842cfc27b116d0db2fd7aa33d53a3faf510993 | solidty package archive |
| 10 | SHA256 | e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab | solidty package archive |
| 11 | SHA1 | e1bdcd1a7157f7d047a88ab4573723fe1e861951 | stelar-sdk package archive |
| 12 | SHA256 | 2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49 | stelar-sdk package archive |
| 13 | SHA256 | d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88 | hardhat-deploy-utils package archive |
| 14 | SHA256 | bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f | web3-deploy-helper package archive |
| 15 | SHA256 | d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666 | defi-sdk-core package archive |
| 16 | SHA256 | 5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05 | ethers-compat package archive |
| 17 | SHA256 | feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86 | ethereum-dev-utils package archive |
| 18 | URL | pastefy.app/RhPBKGli/raw | Base64-encoded PowerShell payload hosting location |
| 19 | IP:Port | 193[.]233[.]201[.]21:3001 | Remote payload distribution server retrieved via blockchain mechanism |
| 20 | Ethereum Smart Contract | 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b | Used by malware to retrieve dynamic infrastructure information |
| 21 | Ethereum Wallet Address | 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 | Queried by the smart contract lookup mechanism to obtain C2 configuration |
| 22 | Ethereum Wallet Address | 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f | Attacker-controlled wallet used to receive exfiltrated credential transactions |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news