Cybersecurity researchers have uncovered a wave of malicious npm packages impersonating the Nomic Foundation's Hardhat tool, aiming to exfiltrate sensitive developer data. These fake packages exploit trust in open-source plugins, stealing private keys, mnemonics, and critical configurations from affected systems.
According to Socket's research team, these malicious packages infiltrate the npm registry, masquerading as legitimate Hardhat tools. Once installed, they execute scripts designed to extract sensitive data and transmit it to an attacker-controlled server.
What is Hardhat?
Hardhat is a widely used Ethereum development environment, providing tools for compiling, debugging, and deploying smart contracts and decentralized applications (dApps).
List of Malicious Packages Identified
The following counterfeit npm packages have been flagged:
nomicsfoundations@nomisfoundation/hardhat-configureinstalledpackagepublish@nomisfoundation/hardhat-config@monicfoundation/hardhat-config@nomicsfoundation/sdk-test@nomicsfoundation/hardhat-config@nomicsfoundation/web3-sdk@nomicsfoundation/sdk-test1@nomicfoundations/hardhat-configcrypto-nodes-validatorsolana-validatornode-validatorshardhat-deploy-othershardhat-gas-optimizersolidity-comments-extractors
How the Attack Works
One of the malicious packages, @nomicsfoundation/sdk-test, recorded over 1,092 downloads and has been available since October 2023. Upon installation, these packages leverage Hardhat’s runtime environment to extract mnemonic phrases and private keys, sending them to attacker-controlled endpoints.
The attack methodology includes:
Exploiting functions like
hreInit()andhreConfig()to extract confidential information.Using hardcoded keys and Ethereum addresses for automated data exfiltration.
Leveraging the dependency complexity within the npm ecosystem to evade detection.
Related Threats: Quasar RAT and MisakaNetwork Botnet
This discovery follows another recent npm attack where a package named ethereumvulncontracthandler posed as a security auditing tool but instead deployed the Quasar RAT malware.
Additionally, threat actors have been leveraging Ethereum smart contracts to distribute Command-and-Control (C2) server addresses, forming a blockchain-powered botnet called MisakaNetwork. This campaign has been linked to a Russian-speaking hacker known as "_lain."
Wider Supply Chain Threats Across npm, PyPI, and RubyGems
Beyond npm, researchers have detected phishing libraries across multiple ecosystems, exploiting Out-of-Band Application Security Testing (OAST) techniques to siphon sensitive data.
Identified malicious packages include:
adobe-dcapi-web(npm) – Avoids targeting endpoints in Russia while collecting system information.monoliht(PyPI) – Harvests system metadata.chauuuyhhn,nosvemosssadfsd,holaaaaaafasdf(RubyGems) – Use DNS queries to exfiltrate data via oastify.com.
According to Socket researcher Kirill Boychenko, ethical security testing tools are increasingly repurposed by threat actors for data theft, C2 communication, and multi-stage attacks.
How Developers Can Protect Themselves
To mitigate software supply chain risks, developers should:
Verify the authenticity of npm packages before installation.
Double-check package names to avoid typosquatting attacks.
Inspect source code for suspicious behaviors.
Use package integrity tools to detect unauthorized modifications.
Implement real-time monitoring of installed dependencies.
With cybercriminals continuously targeting open-source ecosystems, vigilance and proactive security measures are crucial for Ethereum developers and blockchain projects alike.