A supply chain attack targeting key components of the Ethereum development ecosystem has affected the Nomic Foundation and Hardhat platforms.
The attackers infiltrated the ecosystem using malicious npm packages, exfiltrating sensitive data such as private keys, mnemonics and configuration files.
Attack Details and Methodology
This attack, discovered by Socket, involves the distribution of 20 malicious npm packages created by three primary authors. One package, @nomicsfoundation/sdk-test, was downloaded 1092 times. The breach exposes development environments to backdoors, risks financial losses and could lead to compromised production systems.
The attackers employed Ethereum smart contracts to control command-and-control (C2) server addresses. This tactic leverages blockchain’s decentralized and immutable properties, complicating efforts to disrupt the infrastructure. One such contract, in particular, dynamically provided C2 addresses to infected systems.
The impersonation strategy used by the attackers mimics legitimate Hardhat plugins, embedding themselves into the supply chain.
Examples include malicious packages named @nomisfoundation/hardhat-configure and @monicfoundation/hardhat-config, closely resembling genuine Hardhat plugins. These deceptive packages target development processes like deployment, gas optimization and smart contract testing.
Read more on preventing supply chain attacks in open source software: RSAC: Three Strategies to Boost Open-Source Security
Key similarities between the malicious and legitimate plugins include the use of naming conventions closely resembling genuine Hardhat plugins, the claim of providing useful extensions and the targeting of similar development processes.
Additionally, both types of plugins exploit developers’ trust by being hosted on npm. Malicious plugins, however, specifically take advantage of the Hardhat Runtime Environment (HRE), using functions like hreInit() and hreConfig() to collect and exfiltrate sensitive data, including private keys and mnemonics.
The attack flow begins with the installation of compromised packages. These packages exploit HRE using the mentioned functions to collect sensitive data. The data is then encrypted with a predefined AES key and transmitted to attacker-controlled endpoints.
Preventive Measures for Developers
Developers are encouraged to adopt stricter auditing and monitoring practices to protect their development environments. Implementing measures such as securing privileged access management, adopting a zero-trust architecture and conducting regular security assessments can significantly reduce the risk of supply chain attacks.
Additionally, maintaining a software bill of materials (SBOM) and hardening the build environment are recommended strategies to enhance security.
By integrating these practices, developers can significantly reduce the risk of supply chain attacks and enhance the overall security of their software development processes.