More than a dozen malicious npm packages spoofing the Hardhat development environment for Ethereum have been leveraged to facilitate data exfiltration from Ethereum developer systems, with one of the packages amassing nearly 1,100 downloads enabling the theft of Hardhat private keys and mnemonic phrases, according to The Hacker News.
Installation of the counterfeit packages prompts Hardhat runtime environment abuse and exfiltration of configuration files, mnemonics, and private keys to threat actors' endpoints, a report from the Socket research team showed. Another Socket analysis revealed the proliferation of fake libraries across npm, PyPI, and RubyGems that facilitate data theft through the exploitation of out-of-band application security testing tools. "Originally intended to uncover vulnerabilities in web applications, OAST methods are increasingly exploited to steal data, establish command and control (C2) channels, and execute multi-stage attacks," said Socket researcher Kirill Boychenko. Such findings should prompt more stringent package verification and source code-checking processes.
