Pierluigi Paganini
January 04, 2025
Hardhat, by the Nomic Foundation, is an essential Ethereum tool, enabling streamlined smart contract and dApp development with customizable plugins.
Socket researchers reported a supply chain attack targeting the Nomic Foundation and Hardhat platforms, attackers use malicious npm packages to steal critical data like private keys and configuration details.
The experts already identified t
“This ongoing attack targets the Nomic Foundation, Hardhat, and associated plugins via malicious npm packages that impersonate legitimate plugins. The attack has led to the identification of 20 malicious packages published by three primary authors, with the most downloaded package, @nomicsfoundation/sdk-test, accumulating 1,092 downloads.” reads the report published by Socket. “The impact includes compromised development environments, potential backdoors in production systems, and loss of funds.”
Threat actors behind this campaign mimicked the names of legitimate packages and organizations to trick developed into using them.
Attackers steal sensitive data like mnemonics and private keys from Hardhat, encrypt it with AES, and exfiltrate it to endpoints under their control.
“The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files.” continues the report. “The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration.”
This campaign underscores the need for vigilance in open-source package use. Developers should adopt stricter auditing tools to detect and prevent such kind of attacks.
The report provides the list of malicious packages discovered by Socket, along with Indicators of Compromise (IOCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, npm packages)
