Security firm Phylum has identified multiple npm packages that attempt to steal sensitive Ethereum private keys and hijack SSH access.
These packages, disguised as legitimate libraries, were recently discovered attempting to install the attacker's SSH public key on a victim's machine, resulting in unauthorized access.
The findings were published in a recent security report, alerting developers to the growing risks posed by malicious npm libraries.
This new wave of attacks is similar to a case from August 2023, when a trojanized npm package called “ethereum-cryptographyy” was discovered stealing Ethereum keys.
In that case, the attackers replaced a valid cryptographic package dependency with a malicious one that included a remote server POST request to steal private keys.
According to Phylum's report, the new attack takes a slightly different approach, concealing itself more effectively and exploiting developers' trust in familiar libraries such as ethers, a popular tool with over 1.3 million downloads per week.
The malicious code was discovered within a seemingly benign library called “ethers-mew,” which closely resembles the original ethers library.
The attacker predicted that developers would unknowingly include this bogus version in their projects.
When the compromised library is used to create an Ethereum wallet, the malicious code takes over, silently executing a script to exfiltrate private keys to a server registered under the deceptive domain “ether-sign[.]com,” according to Phylum's investigation.
A quick whois search revealed that the domain was recently registered, indicating that this is a new attack.
The damage does not stop there. While tracing the malware's code, Phylum discovered another trick hidden within the library: the ability to change the victim's root SSH files.
When a developer uses the npm package, the attacker's SSH key is added to the root user's authorized_keys file, effectively transferring control of the machine.
“It's an elaborate attack that's hidden in plain sight,” a Phylum analyst said. The malicious functions, named “checkAddress” and “checkServer,” make the code appear legitimate, complicating detection.
Phylum's detailed code analysis revealed how deeply the malware is embedded across multiple JavaScript files.
The seemingly innocent “checkAddress” function turns out to be a gateway for sending private keys to the attacker's server.
Another function, “superSignKey,” handles the SSH access attack by appending the attacker's public key to the root account, which grants full machine access.
The npm packages linked to this attack have been removed, but developers who used them should check their systems for signs of compromise.