A widespread security supply chain attack led to panic across the crypto community yesterday with users warned to “refrain from making any on-chain transactions.”
Researchers at security firm Aikido raised the alarm after discovering that 18 popular node package manager (npm) packages contained malicious code.
After being notified, the developer who maintains the popular npm packages, alias Qix, confirmed the compromise. He’d been “pwned” via a phishing email which “looked very legitimate.”
Despite the packages being widespread across the crypto industry, the attack led to almost no losses.
Samczsun, the head of Security Alliance, a blockchain security collective, called the result a “generational fumble.”
Read more: ‘Decentralized’ apps suffer after Ledger Connect Kit attack
While short-lived, the compromise was far reaching, due to the sheer frequency at which packages such as “chalk” and “debug-js” are used.
Analysis of the incident by Security Alliance stated that the compromised packages total “over 2 billion downloads per week.” It called the incident “likely the largest supply chain attack in history.”
In theory, the compromised packages could be used to modify transaction data for crypto users.
The Aikido report explains how the code “intercepts crypto and web3 activity in the browser” before it “rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.”
In an effort to camouflage the substituted addresses, the code uses the Levenshtein distance algorithm. This identifies visually similar attacker-controlled addresses to be injected in each attack.
MetaMask, crypto’s most popular browser wallet, took to X to reassure users not to be “scared” of the attack. They detailed three “layers of defense” in place “to protect our products and users.”
0xngmi, the pseudonymous developer of decentralized finance dashboard DeFiLlama, explained that malicious packages would “only impact websites that pushed an update since the hacked npm package was published,” adding “most projects pin their dependencies, so even if they push an update they’ll keep using the old safe code.”
In all, the compromised packages were up for around two and a half hours. While the issue is marked as resolved on GitHub, Qix warns “other maintainers have been affected. Stay vigilant.”
Once it became clear that the danger was limited, the community turned its focus to the attacker’s addresses.
Ridicule even came on-chain with one transaction input data message calling the attacker a “bloody fool.” The user made fun of the hacker who “hacked a massive npm developer account and still [couldn’t] steal [a] single penny. You are such a looser [sic].”
Security researchers took a moment to reflect, worrying that the bungled attempt may have “shown the way” for copycats.
Read more: The solution to crypto’s Lazarus problem could be simpler than expected
The Security Alliance X account says the industry “got lucky.” A “stealthily deployed backdoor” targeting developers could have persisted for long enough to be integrated into crypto apps.
Its incident report points to the true cost as the wasted “hours spent by engineering and security teams” and the “sales contracts that will inevitably be signed as a result of this new case study.”
