Deceptive npm Packages Target Programmers’ Ethereum Purses with SSH Trapdoor

AndyC 23 October 2024

Oct 22, 2024Ravie LakshmananWeakness / Source Chain

Computer security analysts have come across several doubtful packages shared on the npm registry that are crafted to collect Ethereum secret keys and acquire distant entry to the machine via the

Malicious npm Packages Target Developers' Ethereum Wallets with SSH Backdoor

Oct 22, 2024Ravie LakshmananWeakness / Source Chain

Malicious npm Packages Target Developers' Ethereum Wallets with SSH Backdoor

Computer security analysts have come across several doubtful packages shared on the npm registry that are crafted to collect Ethereum secret keys and acquire distant entry to the machine via the secure shell (SSH) protocol.

The packages endeavor to “capture SSH entry to the victim’s machine by inscribing the invader’s SSH public key in the root user’s authorized_keys file,” software source chain security company Phylum stated in an analysis put out last week.

The lineup of packages, which strive to mimic the bona fide ethers package, recognized as part of the strategy are cataloged as follows –

A few of these packages, most of which have been released by profiles titled “crstianokavic” and “timyorks,” are believed to have been put out for trial reasons, as most of them present slight variations across them. The newest and most exhaustive package in the catalog is ethers-mew.

Computer Security

This is not the initial occurrence rogue packages with comparable functionality have been detected in the npm registry. In August 2023, Phylum outlined a package named ethereum-cryptographyy, a typosquat of a well-known cryptocurrency library that siphoned off the users’ secret keys to a server in China by inserting a malevolent dependency.

Ethereum Wallets with SSH Backdoor

The most recent attack campaign adopts a slightly distinct method in which the malevolent code is embedded directly into the packages, allowing malicious actors to drain the Ethereum secret keys to the domain “ether-sign[.]com” under their control.

What renders this assault much more underhanded is the necessity for the developer to genuinely utilize the package in their code – like creating a new Wallet instance using the imported package – unlike commonly observed scenarios where just installing the package is adequate to initiate the execution of the malware.

Moreover, the ethers-mew package is furnished with functionalities to alter the “/root/.ssh/authorized_keys” file to append an invader-owned SSH key and grant them enduring remote access to the infringed host.

“All of these packages, along with the authors’ accounts, were only up for a very brief period of time, seemingly removed and eradicated by the authors themselves,” Phylum said.

Found this article intriguing? Follow us on Twitter and LinkedIn to peruse more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025
APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign

AndyC 18 December 2025
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails

AndyC 18 December 2025

You may have missed

Hospital Ransomware Really is The Pitt

How CISOs Can Beat the Ransomware Blame Game 

AndyC 18 December 2025
Using AI to automatically cancel customers? Not a smart move

2026 Cyber Predictions: Accelerating AI, Data Sovereignty, and Architecture Rationalization 

AndyC 18 December 2025
Smashing Security podcast #448: The Kindle that got pwned

Smashing Security podcast #448: The Kindle that got pwned

AndyC 18 December 2025
What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek

Private Certificate Authority 101: From Setup to Management

AndyC 18 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.