Hundreds of fake packages with malware are published online to scam developers.

Software developers, especially those working in the cryptocurrency space, are facing a new hacking threat through open-source code repositories. Cybersecurity researchers have warned about the emergence of hundreds of malicious packages in the npm repository, which are tampered versions of Puppeteer and Bignum.js. These packages use names similar to the originals, which may lead developers to accidentally download the wrong version.

When one of these packages is used, it connects to a hidden server to download a second malicious payload, thus infecting the developers' computers. According to specialists, "the binary sent to the machine is a compressed Vercel package."

The attackers also attempted to execute another piece of code during the package installation; however, that file was not included in the package, which prevented the researchers from analyzing it, something considered a clear mistake by the author of the malicious package.

One of the features that distinguishes this campaign from others is the effort made to hide the servers controlled by the perpetrators. The malware authors have been forced to find more ingenious ways to disguise their intentions and obfuscate the remote servers they control. As a result, although the IP address is not visible in the first-step code, it accesses a smart contract on Ethereum where the IP address is stored. This, ironically, allowed researchers to trace all the IP addresses used by the criminals, as the blockchain is permanent and immutable.

The nature of the attack appears to be aimed at stealing seed phrases and accessing the wallets of cryptocurrency developers. Therefore, developers, especially those involved in Web3, are advised to carefully verify the names of all downloaded packages to avoid falling into these traps.