Full Report
Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation's Hardhat tool in order to steal sensitive data from developer systems. "By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics,
Analysis Summary
# Tool/Technique: Fake Hardhat npm Packages (Supply Chain Compromise)
## Overview
A campaign by Russian-speaking attackers targeting Ethereum developers by publishing numerous malicious packages on the npm registry designed to impersonate the legitimate Ethereum development tool, Hardhat, or related configuration/testing utilities. The primary goal is to steal sensitive development assets such as private keys, mnemonics, and configuration files.
## Technical Details
- Type: Malware/Malicious Package (Software Supply Chain Injection)
- Platform: JavaScript/Node.js environments (specifically targeting developers using the npm registry and the Hardhat framework)
- Capabilities: Harvesting local developer secrets (keys, mnemonics) immediately upon installation/runtime execution; data exfiltration to attacker-controlled infrastructure.
- First Seen: The analysis referenced packages published over a year ago (e.g., `@nomicsfoundation/sdk-test` published October 2023), suggesting a long-running campaign.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Impersonation:** Publishing packages with names closely resembling legitimate ones (e.g., `nomicsfoundations`, `@nomicfoundations/hardhat-config`).
- **Credential Harvesting:** Exploiting the Hardhat runtime environment (HRE) using functions like `hreInit()` and `hreConfig()` to locate and read sensitive data.
- **Data Collection:** Targeting private keys, mnemonic phrases, and configuration details present in the developer's environment.
### Advanced Features
- **Data Exfiltration:** Transmitting collected sensitive data to attacker-controlled endpoints using hardcoded encryption keys and Ethereum addresses for streamlined leakage.
## Indicators of Compromise
- File Hashes: N/A (Package names listed below)
- File Names: N/A (Focus is on package names)
- Registry Keys: N/A
- Network Indicators: Attacker-controlled endpoints (Specific domains/IPs not detailed in summary, but data is transmitted to them).
- Behavioral Indicators: Execution of code upon package installation/import that hooks into Hardhat runtime functions (`hreInit()`, `hreConfig()`) to search for secrets.
**Identified Malicious Packages:**
* `nomicsfoundations`
* `@nomisfoundation/hardhat-configure`
* `installedpackagepublish`
* `@nomisfoundation/hardhat-config`
* `@monicfoundation/hardhat-config`
* `@nomicsfoundation/sdk-test` (Attracted 1,092 downloads)
* `@nomicsfoundation/hardhat-config`
* `@nomicsfoundation/web3-sdk`
* `@nomicsfoundation/sdk-test1`
* `@nomicfoundations/hardhat-config`
* `crypto-nodes-validator`
* `solana-validator`
* `node-validators`
* `hardhat-deploy-others`
* `hardhat-gas-optimizer`
* `solidity-comments-extractors`
## Associated Threat Actors
- Russian-Speaking Attackers
## Detection Methods
- Signature-based detection: Monitoring imports or executions originating from newly published or low-reputation npm packages with names similar to established tooling like Hardhat.
- Behavioral detection: Detecting processes that attempt to read common temporary/configuration files associated with Web3 development environments or establish outbound connections immediately after installing a new dependency.
- YARA rules: N/A (Not provided in source)
## Mitigation Strategies
- **Dependency Verification:** Rigorously verify the provenance and authenticity of all third-party packages, especially those mimicking popular frameworks.
- **Environment Isolation:** Limit the scope and permissions of development environments, adhering to the principle of least privilege.
- **Secret Management:** Avoid storing private keys or mnemonics directly in configuration files that might be accessible to third-party or newly installed dependencies.
- **Code Review:** Audit the dependencies of critical projects, especially for packages installed from public registries.
## Related Tools/Techniques
- **`ethereumvulncontracthandler`**: Another observed malicious npm package reported separately, which masqueraded as a contract vulnerability checker but dropped the Quasar RAT.
- **General Software Supply Chain Compromise:** Broader trend seen in npm of injecting malware via typosquatting or dependency confusion.