Malicious npm Packages Infect Developers’ Machines with SSH Backdoor

By Ava McKinneyOnline Safety

Malicious npm Packages Infect Developers’ Machines with SSH Backdoor

Researchers have discovered a series of suspicious packages on npm that were designed to collect private Ethereum keys and gain remote access to victims’ computers via SSH. According to experts at Phylum, the attackers aimed to “gain SSH access to the victim’s machine by writing their SSH public key to the authorized_keys file.”

Packages Involved in the Attack

The following packages were linked to this malicious campaign, all of which attempted to mimic the legitimate ethers package:

  • ethers-mew (62 downloads)
  • ethers-web3 (110 downloads)
  • ethers-6 (56 downloads)
  • ethers-eth (58 downloads)
  • ethers-aaa (781 downloads)
  • ethers-audit (69 downloads)
  • ethers-test (336 downloads)

Some of these packages, published under the accounts crstianokavic and timyorks, were likely used only for testing, as they contained minimal changes. The most recent and fully developed malicious package was ethers-mew.

Attack Methods and Details

This is not the first time attackers have used typosquatting to disguise malware as popular packages. For example, last year Phylum analysts described a typosquatting package called ethereum-cryptographyy that sent victims’ private keys to a server in China using a malicious dependency.

In this new campaign, the attackers embedded the malicious code directly into the packages themselves, allowing them to exfiltrate Ethereum private keys to their own domain, ether-sign[.]com.

Unlike previous attacks where simply installing the package was enough to trigger the malware, this campaign required victims to actually use the package in their code (for example, by creating a new Wallet instance with the malicious package).

The ethers-mew package also included functionality to modify the /root/.ssh/authorized_keys file, adding the attackers’ SSH key to gain persistent remote access to the compromised host.

Short-Lived Packages

“All of these packages, as well as the accounts that published them, existed for a very short time and appear to have been deleted by the authors themselves,” Phylum specialists reported.

Leave a Reply