Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages

Category	Details
Threat Actors	_lain (Russian-speaking threat actor)
Campaign Overview	Malicious npm packages impersonating the Nomic Foundation’s Hardhat tool to steal sensitive data from developer systems.
Target Regions (Or Victims)	Developers using npm registry, particularly those in Ethereum and blockchain development.
Methodology	Exploit trust in open source packages to inject malicious code, harvesting sensitive information such as private keys and mnemonics.
Product Targeted	Hardhat (Ethereum development tool), npm ecosystem, Ethereum-based smart contract applications.
Malware Reference	Quasar RAT, MisakaNetwork (blockchain-powered botnet).
Tools Used	Malicious npm packages, OAST tools (oastify.com, oast.fun), Ethereum smart contracts for C2 address distribution.
Vulnerabilities Exploited	Complexity and dependency sprawl in npm ecosystem, unreviewed packages and dependencies.
TTPs	Exploiting open source package trust, using hardcoded keys for data exfiltration, creating complex dependency chains.
Attribution	_lain (Russian-speaking threat actor), exploiting npm ecosystem complexities.
Recommendations	Verify package authenticity, inspect source code before installation, exercise caution with package names.
Source	The Hackers News

Read full article: https://thehackernews.com/2025/01/russian-speaking-attackers-target.html

The above summary has been generated by an AI language model