Cybersecurity researchers have recently uncovered several suspicious packages in the npm registry designed to steal Ethereum private keys and gain remote access to victims’ machines via the secure shell (SSH) protocol.
According to Phylum, a software supply chain security company, these packages attempt to "gain SSH access to the victim's machine by writing the attacker's SSH public key in the root user's authorized_keys file." The company's analysis, published last week, outlines how these packages aim to exploit systems.
The packages that are part of this campaign mimic legitimate ethers packages and include the following:
- ethers-mew (62 downloads)
- ethers-web3 (110 downloads)
- ethers-6 (56 downloads)
- ethers-eth (58 downloads)
- ethers-aaa (781 downloads)
- ethers-audit (69 downloads)
- ethers-test (336 downloads)
The attackers behind these packages, mostly published by users with names like "crstianokavic" and "timyorks," seem to have tested them with minor changes. Of these, ethers-mew appears to be the most complete and potentially dangerous.
This isn't the first time that rogue packages with similar malicious behavior have been found in the npm registry. In August 2023, Phylum identified a package called ethereum-cryptographyy, which was a typosquat of a popular cryptocurrency library. That package exfiltrated users' private keys to a server in China by sneaking in a malicious dependency.
Ethereum Wallets with SSH Backdoor
This latest attack uses a different approach, embedding the malicious code directly into the package, enabling attackers to steal Ethereum private keys and send them to the domain "ether-sign[.]com," which they control.
What makes this attack particularly sneaky is that the malicious package requires the developer to actually use it in their code – for example, by creating a new Wallet instance with the imported package. This is unlike other malware campaigns where just installing the package would trigger malicious activity.
Moreover, the ethers-mew package has additional functionality that modifies the "/root/.ssh/authorized_keys" file. By doing so, it adds an SSH key owned by the attacker, allowing persistent remote access to the compromised system.
Phylum notes that "all of these packages, along with the authors' accounts, were only up for a very short period of time, apparently removed and deleted by the authors themselves."
