Security researchers have uncovered a concerning discovery involving multiple cryptocurrency-related packages on the npm registry that were compromised to steal sensitive data from affected systems.
According to Sonatype researcher Ax Sharma, several packages that had existed legitimately on npmjs.com for over 9 years were found to contain malicious obfuscated scripts in their latest versions.
The compromised packages include widely-used tools like country-currency-map, bnb-javascript-sdk-nobroadcast, and multiple other blockchain development libraries. The malicious code was inserted into two specific scripts that activate upon package installation: "package/scripts/launch.js" and "package/scripts/diagnostic-report.js."
These scripts were engineered to collect sensitive information including API keys, access tokens, and SSH keys from infected systems before transmitting the data to a remote server.
A notable aspect of this attack is that the associated GitHub repositories remained unmodified, suggesting the attackers focused solely on compromising the npm packages. The exact method of compromise remains unclear, though researchers suspect either credential stuffing attacks or expired domain takeovers as likely vectors.
The timing of the attacks across multiple distinct projects points toward compromised maintainer accounts as the most probable explanation, rather than coordinated phishing attempts.
This incident brings attention to persistent security challenges in open-source software maintenance, particularly for projects that are no longer actively maintained. The case emphasizes the necessity of implementing two-factor authentication to protect against account takeovers.
Organizations and developers are advised to enhance their vigilance when using third-party software registries and strengthen their security measures throughout the development process to protect against such supply chain attacks.