Over 1,000 Downloads: 20 Malicious npm Packages Impersonate Ethereum Development Tool Hardhat to Steal Sensitive Information
Over 1,000 Downloads: 20 Malicious npm Packages Impersonate Ethereum Development Tool Hardhat to Steal Sensitive Information
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Over 1,000 Downloads: 20 Malicious npm Packages Impersonate Ethereum Development Tool Hardhat to Steal Sensitive Information
On January 3, the technology news outlet BleepingComputer reported that security researchers discovered cybercriminals deploying malicious packages on npm to impersonate Hardhat, a widely-used Ethereum development environment.
These packages aimed to steal sensitive information, including developers’ private keys and other critical data.
Hardhat, maintained by the Nomic Foundation, is a popular development tool for building, testing, and deploying smart contracts and decentralized applications (dApps) on the Ethereum blockchain. Its primary users include blockchain developers, fintech companies, startups, and educational institutions.
Typically, these users rely on npm (Node Package Manager) to manage project dependencies, libraries, and modules. As a critical tool in the JavaScript ecosystem, npm’s broad usage makes it an attractive target for malicious actors.
Attackers exploited npm by creating three accounts that hosted 20 malicious packages, collectively downloaded over 1,000 times. These packages utilized “typosquatting” techniques to mimic legitimate package names, tricking users into installing them.
Socket, a cybersecurity company, identified and disclosed the names of 16 of these malicious packages, including:
-
nomicsfoundations
-
@nomisfoundation/hardhat-configure
-
installedpackagepublish
-
@nomisfoundation/hardhat-config
-
@monicfoundation/hardhat-config
-
@nomicsfoundation/sdk-test
-
@nomicsfoundation/hardhat-config
-
@nomicsfoundation/web3-sdk
-
@nomicsfoundation/sdk-test1
-
@nomicfoundations/hardhat-config
-
crypto-nodes-validator
-
solana-validator
-
node-validators
-
hardhat-deploy-others
-
hardhat-gas-optimizer
-
solidity-comments-extractors
Once installed, the code within these malicious packages attempted to harvest Hardhat private keys, configuration files, and mnemonics (phrases used to access Ethereum wallets). The data was encrypted with hardcoded AES keys before being transmitted to endpoints controlled by the attackers.
According to Socket, the malicious packages exploited functions such as hreInit() and hreConfig() to collect sensitive information directly from the Hardhat runtime environment. The stolen data was sent to attacker-controlled Ethereum addresses via these hardcoded keys.
This attack poses significant risks as many of the compromised systems belong to developers. By gaining unauthorized access to production systems, attackers could sabotage smart contracts, deploy malicious clones of existing dApps, or initiate large-scale, high-impact attacks.
Security teams and developers using Hardhat or related tools are advised to carefully audit their npm dependencies, remove any suspicious packages, and rotate keys immediately if affected.
Regular security checks and vigilance against typosquatting are essential in mitigating such threats.
