A whole host of crypto npm packages have been compromised
>
A number of npm packages published by a major cryptocurrency exchange have been compromised and updated to contain malicious code
Decentralized cryptocurrency exchange (DEX) dydX tweeted its discovery of the compromise and how it acted to resolve the issue.
“At 6:14 AM EST, we identified malicious versions published on some dYdX NPM packages that were quickly removed,” tweet (opens in new tab) read. “All funds are SECURE, our websites/apps were NOT compromised, the attack did NOT affect smart contracts.”
Multiple packages spread infostealers
Further explaining how user funds will not be compromised, the company said: “Reminder that dYdX does not have custody of user funds, which are deposited directly into a smart contract on the blockchain.”
Cybersecurity researcher Maciej Mensfeld of security firm Mend and Difend.io found that some packages contained code that would execute information-stealing malware when executed. He found three packages that had been hijacked to be used in identity theft (opens in new tab) to attack.
- @dydxprotocol/solo – versions 0.41.1, 0.41.2
@dydxprotocol/perpetual – versions 1.2.2, 1.2.3
The package ‘@dydxprotocol/node-service-base-dev’ has also reportedly been compromised, but that package has since been removed from the platform.
The packages are described as “Ethereum Smart Contracts and TypeScript library used for the dYdX Solo Trading Protocol.” The solo pack, according to the found publication, is used by at least 44 GitHub repositories built by “multiple crypto platforms”.
Apparently, this isn’t the first time threat actors have tried to smuggle this identical malicious code into different packages. BleepingComputer even claims to have seen code “strikingly identical” to it in the malicious “PyGrata” Python packages that stole Amazon Web Services (AWS) credentials, environment variables, and SSH keys.
Code repositories are often targeted by malicious actors who sometimes build malicious versions of popular repositories and give them similar names in the hope that overworked/reckless developers unknowingly pick the wrong one.
Through: BleepingComputer (opens in new tab)