Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Security News
Sarah Gooding
December 19, 2023
The cryptocurrency industry, while burgeoning in financial innovation, is grappling with escalating supply chain security threats, as recent exploits have led to significant financial losses for victims and eroded their trust in the security of their digital wallets and the platforms they rely on for secure transactions.
Last week the crypto world had a close brush with a shadowy digital heist, as Ledger, a prominent hardware wallet manufacturer, faced a supply chain attack following the compromise of a former employee’s npmjs account credentials through phishing. This allowed the attacker to upload wallet-draining code to Ledger Connect Kit, which powers many crypto frontends, enabling users to connect their wallets to decentralized applications (dApps), such as SushiSwap and Revoke.cash.
Although Ledger updated npmjs to remove the malicious code within 40 minutes of discovery, by then it had been active for around five hours, resulting in the theft of more than $600,000 in virtual assets.
Researchers from Neodyme took a technical deep dive into the exploit, characterizing the main JavaScript payload as “a fairly sophisticated wallet drainer” that “drains various tokens on EVM chains, supporting several different wallets.”
Further complicating the incident, there were nearly 300 downstream projects using connect-kit-loader which appeared to arbitrarily load the compromised connect-kit JavaScript in the browser from a CDN. Had this incident gone undetected for much longer, the devastating financial impacts would have been much worse.
In response to this incident, Ledger developers merged version 1.1.8 of the connect-kit-loader that is tethered to version 1.1.8 of the connect-kit, but moving forward they are deprecating the connect-kit-loader and advising developers to set up connect-kit manually from npm.
Ledger’s advisory on X is overrun with comments begging the company to start “taking security and code commit reviews seriously.” This incident should be a siren call to the wider crypto industry to reassess and significantly strengthen their supply chain security protocols. It highlights the urgent need for more proactive security measures, not only at the individual company level but throughout the entire ecosystem.
The aftermath of this incident saw customers tweeting their intentions to abandon Ledger in favor of alternative crypto wallet solutions and others signaling how profoundly their trust has been eroded in the wake of this attack.
While some have been quick to blame npm for this incident, this is not an issue of npm negligence. npm has been a compounding force of good, empowering the JavaScript community to flourish by enabling the ease of publishing developers’ work to the wider world. The package manager has created tools to support developers in verifying package origins and trustworthiness. The cause of this particular incident was an unfortunate breakdown of Ledger’s internal security control framework, as it’s the company and maintainers' responsibility to secure their repositories.
Most low-effort phishing attacks are easy to spot and thwart, as the wording is often awkward, filled with grammatical errors, and uses overly urgent or alarming language to provoke an immediate reaction. Ledger hasn’t revealed the nature of the phishing attack for this incident, but it was clever enough to ensnare one of their former developers.
More sophisticated phishing attacks are increasing in parallel with the proliferation of AI-powered tools, making it more difficult for victims to identify the scam in play.
This type of attack could also happen to a current employee so companies need to continuously update and reinforce their security training and awareness programs, so staff are vigilant and can recognize the subtle signs of these advanced phishing tactics. Even if the code you are relying on is solid, the human factor is unpredictable and can cause packages that have been trusted for years to become compromised.
In November, Aqua Nautilus researchers warned that exposed Kubernetes secrets are a "ticking supply chain attack bomb" that pose a critical threat to hundreds of organizations and open source projects:
Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. These encoded Kubernetes configuration secrets were uploaded to public repositories.
These secrets were found through an audit of configuration files on GitHub containing .dockerconfigjson
and .dockercfg
, which found an alarming number of public repositories inadvertently exposing base64 encoded secrets.
In April, hackers who appeared to be working on behalf of the North Korean government were found to be responsible for a supply chain attack that hid code in a VoIP application called 3CX targeting cryptocurrency companies. Russian cybersecurity firm Kaspersky has been tracking this backdoor which the company said was used “with surgical precision.”
Crypto prime brokerage Floating Point Group (FPG) disclosed a cyber security incident in June, in which the company lost $15-20 million in cryptocurrencies. The company halted trading, deposits, and withdrawals in response while contacting law enforcement agencies for assistance. FPG’s customers managed more than $50B in assets. The report of the incident is the last tweet on the company’s X account. The impact of this breach is reported to have put the company on the brink, resulting in layoffs of 90% of its staff. This prompted speculation that the company was seeking a round of emergency financing to stabilize its operations and ensure continuity of its services.
These exploits demonstrate how devastating a security incident can be for companies that manage cryptocurrency and underscore the critical need for better tools to combat these attacks before they have the chance to land in application code bases.
Consumers drawn to cryptocurrency are often attracted by its promise to offer an alternative to the traditional financial world. Many of these individuals seek more autonomy over their finances and see this departure from conventional banking systems as a way to achieve financial self-sovereignty. Unfortunately, this ethos amplifies the sting of crypto security exploits, rapidly burning through the trust these individuals have placed in the decentralized financial system.
The crypto industry has recently raised over $78 million from 20 companies and leading industry voices to support crypto-forward U.S. political candidates in 2024. While political support for cryptocurrency innovation is important, securing these technologies is a paramount concern if the industry is to move forward without compromising the next generation of financial freedom.
Crypto companies are on the forefront of financial technology. Historically, they have attracted speculative investments and rapid, sometimes unchecked, growth of new projects and tokens, often without foundational security measures to support the handling of sensitive information.
While there are many robust and secure platforms in the crypto space, the industry has been plagued by numerous high-profile hacks, frauds, and scams. Crypto still has a wild west reputation, but it’s time for its baseline level of security to mature in line with the critical financial freedoms this industry delivers.
Socket secures hundreds of crypto projects on both our free and enterprise plans. AI-powered threat detection is indispensable for modern software development, as developers are simply not able to read every line of code they install from npm. Legitimate, trusted packages can be compromised, leading to costly supply chain attacks.
Socket differs from traditional Software Composition Analysis (SCA) tools, because they often don’t catch zero-day malware used in many high-profile campaigns. In contrast, Socket offers deep package inspection, which inspects dependencies and their behavior to identify threats so developers can take immediate action. Our tools are like an extra set of eyes that are constantly monitoring the open source ecosystem for deviations from expected package behavior.
Install Socket for GitHub today, or book a demo for tailored assistance in exploring how our tools can bolster your project's security and help you more effectively monitor your software dependencies.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.