Ethereum Development Tools Targeted in Supply Chain Attack
A recent supply chain attack has targeted key components of the Ethereum development ecosystem, affecting platforms like the Nomic Foundation and Hardhat. The attackers used malicious npm packages to infiltrate the ecosystem, stealing sensitive data such as private keys, mnemonics, and configuration files.
The attack, uncovered by Socket, involved the distribution of 20 malicious npm packages created by three main authors. For example, one package called @nomicsfoundation/sdk-test was downloaded over a thousand times. This breach puts development environments at risk of backdoors, financial losses, and compromised production systems.
To control their attack, the perpetrators used Ethereum smart contracts to manage command-and-control server addresses. By leveraging the decentralized and immutable aspects of blockchain, they made it harder to disrupt their infrastructure. One specific contract dynamically provided C2 addresses to infected systems.
The attackers also employed an impersonation strategy, mimicking legitimate Hardhat plugins to embed themselves into the supply chain. Malicious packages like @nomisfoundation/hardhat-configure and @monicfoundation/hardhat-config closely resemble genuine plugins, targeting processes like deployment, gas optimization, and smart contract testing.
Both malicious and legitimate plugins utilize similar naming conventions, claim to provide useful extensions, and target comparable development processes. In particular, these malicious plugins exploit developers’ trust by being hosted on npm and use functions like hreInit() and hreConfig() to collect sensitive data.
The attack flow starts with the installation of compromised packages, which then exploit HRE functions to gather sensitive data. This data is encrypted with a predefined AES key and sent to attacker-controlled endpoints.
To prevent such attacks, developers are advised to adopt stricter auditing and monitoring practices to safeguard their development environments. Steps like securing privileged access management, implementing a zero-trust architecture, and conducting routine security assessments can significantly reduce the risk of supply chain attacks.
Furthermore, maintaining a software bill of materials (SBOM) and strengthening the build environment are recommended strategies to boost security. By incorporating these practices, developers can lower the risk of supply chain attacks and enhance the overall security of their software development processes.
