Friday, May 2, 2025
HomeCyber AttackMalicious npm Packages Stealing Developers' Sensitive Data

Malicious npm Packages Stealing Developers’ Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Attackers published 20 malicious npm packages impersonating legitimate Nomic Foundation and Hardhat plugins, where these packages, downloaded over 1,000 times, compromised development environments and potentially backdoored production systems and resulted in financial losses.

They are utilizing Ethereum smart contracts, such as 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, to store and distribute Command & Control (C2) server addresses to compromised systems, which leverages blockchain’s decentralized nature, making it difficult to disrupt the attackers’ infrastructure.

The Ethereum wallet address 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, implicated in malicious campaigns, acts as a critical parameter within a specific smart contract, which is utilized to dynamically fetch Command & Control (C2) server information, enabling the attacker to maintain persistent control over compromised systems.

- Advertisement - Google News

By leveraging supply chain attacks, they create malicious packages with names closely resembling legitimate ones, such as “@nomisfoundation/hardhatconfigure” and “@monicfoundation/hardhatconfig,” to deceive developers into installing them, ultimately compromising the integrity of their projects.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

They also exploit naming conventions by creating packages with names closely resembling legitimate Hardhat plugins, such as “@nomisfoundation/hardhat-configure,” mimicking “@nomiclabs/hardhat-ethers,” which aims to trick developers into installing malicious code disguised as a legitimate plugin, compromising their development environment and potentially their projects.

Malicious Hardhat packages exploit legitimate plugin integration points, mimicking functionalities like deployment scripts, gas optimization tools, and testing frameworks, which allows them to compromise development workflows, potentially stealing private keys, manipulating transactions, or introducing backdoors into deployed contracts.

Malicious npm packages exploit developer trust by leveraging Hardhat Runtime Access through functions like hreInit() and hreConfig(), allowing malicious actors to exfiltrate sensitive data while legitimate plugins utilize the Hardhat Runtime Environment for essential tasks like contract deployment and testing.

The attacker extracts sensitive data like mnemonics and private keys from the Hardhat environment by conditionally stringifying the Hardhat Runtime Environment (hre) object if it contains non-empty mnemonic or private key values.

Data Exfiltration
Data Exfiltration

According to the Socket researchers, sensitive data is encrypted with a predefined AES key and exfiltrated to an attacker-controlled endpoint via an API POST request.

The attack vector involves malicious packages compromising the Hardhat runtime, which exploits functions like hreInit() and hreConfig() to extract sensitive information such as private keys and mnemonics. 

The extracted data is then transmitted to attacker-controlled endpoints via hardcoded keys and Ethereum addresses, which exploit vulnerabilities in open-source software, compromising private keys and seed phrases. 

The breach enables attackers to deploy malicious smart contracts on the Ethereum mainnet, potentially leading to significant financial losses and eroding trust within the open-source ecosystem.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...