A fresh wave of supply chain attacks is putting blockchain developers, Web3 teams, and cloud engineers at serious risk. <\/p>\n
Researchers have uncovered a coordinated campaign involving multiple malicious packages on the npm registry, each designed to quietly steal sensitive secrets the moment a developer installs them. <\/p>\n
From SSH private keys to cloud credentials, wallet phrases to API tokens, this campaign leaves almost no secret untouched.<\/p>\n
What makes this effort particularly alarming is its scale. One package at the center of the investigation, moralis-sdk, had accumulated more than 2.7 million downloads by the time researchers flagged it. <\/p>\n
That reach means the malicious code may have already touched thousands of developer workstations<\/a>, CI\/CD pipelines, and cloud environments without anyone realizing it.<\/p>\n Analysts at\u00a0Cyfirma\u00a0identified the campaign after spotting two suspicious packages, ethers-jss and coinbase-wallet-utils, both built to impersonate legitimate Ethereum development tools. <\/p>\n Through deeper investigation, they linked eleven highly suspicious npm packages to the same operation, as the researchers at Cyfirma said in a report<\/a> shared with Cyber Security News (CSN).<\/p>\n The packages were not all built the same way. Cyfirma\u2019s research revealed four distinct operational clusters, each targeting developers through a different method. <\/p>\n Some abused npm lifecycle hooks to auto-execute malicious code during install, while others relied on obfuscated loaders and Ethereum smart contracts to retrieve command-and-control addresses without hard-coding anything obvious.<\/p>\n Together, these packages recorded more than 2.72 million combined downloads, making this one of the more impactful npm supply chain campaigns seen recently. <\/p>\n Active download activity during the investigation confirmed that several packages were still reaching new victims even after discovery.<\/p>\n The infection method was deceptively simple. Each package used npm lifecycle scripts, either preinstall or postinstall hooks, to trigger malicious code the moment a developer ran an install command. No extra steps were needed on the victim\u2019s side.<\/p>\n The ethers-jss package acted as a malicious wrapper around the real ethers library. Once installed, it intercepted wallet creation and recovery functions to capture private keys and mnemonic phrases, sending them to an attacker-controlled server on GitHub Codespaces. <\/p>\n It also included a Python script named docker_hunter.py<\/a>, which performed OSINT-style lookups on Docker Hub repositories tied to blockchain tools.<\/p>\n The coinbase-wallet-utils package focused on reconnaissance, collecting the victim\u2019s hostname, username, environment variables, and working directory, then exfiltrating everything silently using curl. <\/p>\n A separate cluster of five packages published by the npm user ethcompat went further, encrypting stolen credentials with AES-256-GCM and embedding them inside Ethereum blockchain transactions sent to an attacker-controlled wallet, turning the victim\u2019s own wallet into the exfiltration channel.<\/p>\n The moralis-sdk package was particularly crafty. It started as a clean copy of the legitimate Moralis SDK in October 2025, then was weaponized through an update that added a heavily obfuscated postinstall.js file. <\/p>\n That file used a YouTube page as a remote activation switch and only delivered its payload if a hidden marker was found, giving the attacker remote control over when the malware activated.<\/p>\n Three typosquatting packages, ganach, solidty, and stelar-sdk, added another layer of innovation. Instead of hard-coding a server address, these packages queried an Ethereum smart contract to retrieve infrastructure details dynamically. <\/p>\n The malware then downloaded platform-specific binaries for Windows, Linux, or macOS depending on the victim\u2019s system.<\/p>\n Researchers also found several attribution hints. The accounts used to publish the packages had randomly generated names, a common tactic to avoid being traced. <\/p>\n Deobfuscated code contained Russian-language comments and variable names, pointing to a financially motivated actor with experience in cryptocurrency-related cybercrime, though no specific group was formally named.<\/p>\n Cyfirma recommends running installs with the flag npm install \u2013ignore-scripts to block automatic script execution. <\/p>\n Organizations should also deploy Software Composition Analysis tools<\/a>, avoid storing private keys or seed phrases in plaintext, and rotate any exposed credentials immediately. <\/p>\n Developers in Web3 environments should verify publisher identity, download history, and repository ownership before adding any unfamiliar package to their project.<\/p>\n Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em> Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n The post Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"System](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhH6ans6HgxSJ_Lao_3BWbpfw3tItt0BgwPwXGZH7MlL7QJg0ithyPWOG-w4YSC5DEPRilWwjWu9dpFSHtzpigOh-FIAWQT3gzyNcSpHsTjSs0kviZL34sPvw7-gpUgDwiydhF1U5pSgTJ2NEjcGOXuQ5EbZndBJzp8NVBs1YE9x6VhALQmIrL37HWdEcc\/s16000\/System%2520Reconnaissance%2520%26%2520Data%2520Exfiltration%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Malicious npm Campaign<\/strong><\/h2>\n
![\"Command-and-Control](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhE6aSIhGgpk3TiWlqws105KM2aqEICEGYVQQ9upguRwnC8LgWxpTnYhXpUAMQtuHAWrjIbk7h8VxTwQGasNfsze8fciklb7tTj7i2ng0V7n_dWrQfkechQT7pWmSKuEe47qymsZAp4QF8bOJ4uNYrXTR0XLAU6Wfmk3dMeb2PGfimZKQlql72P2WlLpAU\/s16000\/Command-and-Control%2520%28C2%29%2520Configuration%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Blockchain Infrastructure and Attribution Clues<\/strong><\/h2>\n
![\"Cryptocurrency](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjYK6WhsOD1CeJt3bluNhuLHd5NggQVzJh6TaiMNuKEHBnkAcqzNodO-3746Jz1kzZycHcNAquC1m-N-Aa02YjsLq5TNWMQtQhA1FN5sgrtwhP248BY8m0L0LFtvnKeaZhL48DPDDHwGEDLsmZRqkezqlTrKdVSuNCiNamyFs8iInSNiLJ1QkaRQK65i8Q\/s16000\/Cryptocurrency%2520Wallet%2520Hijacking%2520Logic%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Indicators of Compromise (IoCs):-<\/strong><\/h2>\n
\n\n
\n \n#<\/th>\n Type<\/th>\n Indicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n 1<\/td>\n SHA1<\/td>\n 53b91117db931d3acbbfd15aa8400bb6691e023d<\/td>\n ethers-jss package archive<\/td>\n<\/tr>\n \n 2<\/td>\n SHA256<\/td>\n d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44<\/td>\n ethers-jss package archive<\/td>\n<\/tr>\n \n 3<\/td>\n SHA1<\/td>\n 63154cd9c79f9d14eb9be6c4efc2a778d31646ec<\/td>\n coinbase-wallet-utils package archive<\/td>\n<\/tr>\n \n 4<\/td>\n SHA256<\/td>\n 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b<\/td>\n coinbase-wallet-utils package archive<\/td>\n<\/tr>\n \n 5<\/td>\n SHA1<\/td>\n 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7<\/td>\n moralis-sdk v1.0.1 package archive<\/td>\n<\/tr>\n \n 6<\/td>\n SHA256<\/td>\n 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26<\/td>\n moralis-sdk v1.0.1 package archive<\/td>\n<\/tr>\n \n 7<\/td>\n SHA1<\/td>\n fcc8a542aad41e758cf6c18571048890be53808e<\/td>\n ganach package archive<\/td>\n<\/tr>\n \n 8<\/td>\n SHA256<\/td>\n 7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda<\/td>\n ganach package archive<\/td>\n<\/tr>\n \n 9<\/td>\n SHA1<\/td>\n 70842cfc27b116d0db2fd7aa33d53a3faf510993<\/td>\n solidty package archive<\/td>\n<\/tr>\n \n 10<\/td>\n SHA256<\/td>\n e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab<\/td>\n solidty package archive<\/td>\n<\/tr>\n \n 11<\/td>\n SHA1<\/td>\n e1bdcd1a7157f7d047a88ab4573723fe1e861951<\/td>\n stelar-sdk package archive<\/td>\n<\/tr>\n \n 12<\/td>\n SHA256<\/td>\n 2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49<\/td>\n stelar-sdk package archive<\/td>\n<\/tr>\n \n 13<\/td>\n SHA256<\/td>\n d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88<\/td>\n hardhat-deploy-utils package archive<\/td>\n<\/tr>\n \n 14<\/td>\n SHA256<\/td>\n bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f<\/td>\n web3-deploy-helper package archive<\/td>\n<\/tr>\n \n 15<\/td>\n SHA256<\/td>\n d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666<\/td>\n defi-sdk-core package archive<\/td>\n<\/tr>\n \n 16<\/td>\n SHA256<\/td>\n 5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05<\/td>\n ethers-compat package archive<\/td>\n<\/tr>\n \n 17<\/td>\n SHA256<\/td>\n feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86<\/td>\n ethereum-dev-utils package archive<\/td>\n<\/tr>\n \n 18<\/td>\n URL<\/td>\n pastefy.app\/RhPBKGli\/raw<\/td>\n Base64-encoded PowerShell payload hosting location<\/td>\n<\/tr>\n \n 19<\/td>\n IP:Port<\/td>\n 193[.]233[.]201[.]21:3001<\/td>\n Remote payload distribution server retrieved via blockchain mechanism<\/td>\n<\/tr>\n \n 20<\/td>\n Ethereum Smart Contract<\/td>\n 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b<\/td>\n Used by malware to retrieve dynamic infrastructure information<\/td>\n<\/tr>\n \n 21<\/td>\n Ethereum Wallet Address<\/td>\n 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84<\/td>\n Queried by the smart contract lookup mechanism to obtain C2 configuration<\/td>\n<\/tr>\n \n 22<\/td>\n Ethereum Wallet Address<\/td>\n 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f<\/td>\n Attacker-controlled wallet used to receive exfiltrated credential transactions<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n [.]<\/em><\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n