Malware Infects NPM Packages: Supply Chain Attack (Crypto Wallet)

Malware Infects NPM Packages: Supply Chain Attack (Crypto Wallet)


Yesterday, September 8th, a large-scale attack on the NPM supply chain (which manages Javascript packages) took place. An attacker released malicious versions of popular packages, including strip-ansi, is-core-module, color-name, error-ex, has-ansi, and color-convert, affecting websites and frameworks. All this happened silently. Essentially, when you try to send funds to someone, if the website or dapp is infected, the receiving address is changed (to the attacker's).

What does the malware do?
1) Monkey Patching (altering website functions without modifying the source code).
2) Scanning crypto wallets.
3) Using the Levenshtein distance algorithm (replacing addresses with visually similar ones. For example, 0x27d...3ac will appear as 0x27d...3ac; the change is in the middle).
4) It intercepts transactions and manipulates them by modifying the data in memory through copy-and-paste (replacing the recipient's or smart contract's address with the attacker's).

If a website installs one of the malicious versions of the compromised packages, the malicious code is executed in the application runtime (Node.js server-side, as well as for front-end applications distributed in browsers, such as wallets).

be531f28b5fa1972e15cebd7376bc774149dc8b52f5497e41458104aed8aca8b.png

WHAT ARE THE RISKS?
Every time you type, copy/paste, or send a wallet address (e.g., Metamask, Phantom, etc.), the malware checks the string.
If it finds an address, it replaces it with one of the attacker's addresses. The replacement is done with visually similar addresses (similar to the Poisonous Attack, where small amounts of money, called dust, are sent from an address visually similar to the victim's, so that if the victim performs routine operations, such as sending to the same addresses, they "copy-paste" the incorrect address. This was a very popular attack a few years ago).
So if you open MetaMask or Phantom, the malware intercepts API calls (eth_sendTransaction, etc.). When you try to send funds from an affected dapp (wallet), the recipient's address is modified in memory before you sign the transaction. If you swap on a dex, it replaces the smart contract's address with the attacker's (intercepting outgoing and incoming data). If you haven't installed the malware in your browser and don't use the wallet until the situation is resolved, you're safe; otherwise, your funds will be sent to the attacker's address.

 

Ways to earn Airdrop & Crypto Bonus? Check it out here: Some Sites To Earn Free Crypto (Always Updated)

How do you rate this article?

79


☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ
☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ Verified Member

I love Bitcoin since 2012. I also love NFT. #BTC #ETH #MLBSorare


Darknet
Darknet

The topics will be 🅒🅡🅨🅟🅣🅞, of course. BTC and Degen crypto since 2012.⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Publish0x

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.