Yet Another Malware used to steal crypto wallets, and sensitive data.

[suzanne5223]

Malware called RAT, through the use of displaying fake npm install logs, is used to steal crypto wallets and sensitive data.

Software security experts uncovered a custom remote access trojan used through multiple fake npm install logs designed by hackers to steal crypto wallets and sensitive data.
All the remote access trojan activities were tracked by ReversingLabs, and the list of all the identified fake npm install logs packages used by the hackers was said to be

react-performance-suite
react-state-optimizer-core
react-fast-utilsa
ai-fast-auto-trader
pkgnewfefame1
carbon-mac-copy-cloner
coinbase-desktop-sdk


The fake npm install logs packages was said to be used to performed a large scale of attacks since last year with the most impactful being Shai-hulud which is the first open source package repository worm while some attacks were carry out through the use of larger fake job recruiter scheme with fake job interviews through the strategy of using coding tests to use it as a pretext for pushing downloaders to developers just to target crypto developers.

[Amphenomenon]

The npm threats became well last year and even after it was said to resolved I knew it wasn't over and more are still going to be discovered.

Dev needs to be careful, there are numbers of vulnerabilities and threats to be worried about when using API or frameworks/extentions.

[bitmover]

Software security experts uncovered a custom remote access trojan used through multiple fake npm install logs designed by hackers to steal crypto wallets and sensitive data.
All the remote access trojan activities were tracked by ReversingLabs, and the list of all the identified fake npm install logs packages used by the hackers was said to be

These are called the supply chain attacks.

Hackers attack the libraries or the developers installing libraries of projects.
In this case, the attack affects some wallets which use node js, mostly web wallets and browser wallets.

[Goodwater87]

Well, everyone stay safe out there- airgap your seed phrases, if possible use hardware wallets. Also, never you rush npm on some random GitHub rec. These kind of hacks have crazy impacts.

[cryptomaniac_xxx]

Probably one draw-back of open source package. Everyone can edit anything and if you are not careful, you might download a npm that has been injected by malware by the bad actors and it's going to be late when you've lost everything.

This is not the first time that we have heard this kind of attacks and obviously won't be the last. So for many devs here in our community, you are also a target now so self-awareness is the key to not be the next victims.

Here are the package names if others wanted to see:

Package Name	Version	SHA1
react-performance-suite	2.0.0	bdffc2f98ff422db9f9ddc190401cfcb686e3c32
react-performance-suite	2.0.1	5928e3121f12f3c5d690bc7968b28b2f67835ef5
react-state-optimizer-core	1.0.0	cbe7c87293de7ab5853e2aef3f638d54c45f5c9f
react-state-optimizer-core	1.0.2	1b4916fd65934f2f9efa7125335a85c104e1e17c
react-state-optimizer-core	1.0.3	32d6b0b70ba825456471fab82119980de01e57d0
react-state-optimizer-core	1.0.4	a5d4a4dbf036e4d7a5453db191f6e4320f604446
react-state-optimizer-core	1.0.5	be10e30cf25d57385c31281219daf87dc7921da6
react-state-optimizer-core	1.0.6	874919fbd4e23da4f959447acf394a619cc23f72
react-state-optimizer-core	1.0.7	7562690617de6eafe29c3f1d83c029ee73b9f50b
react-state-optimizer-core	1.0.8	b75fc27053819cd2e7f5cfe193a91844c199c285
react-state-optimizer-core	1.0.9	f9400843b42f0187e826e4c7a9786b0f09ab8992
react-state-optimizer-core	3.0.3	fe6ee1104c4b02be39819822ed959039ea313e67
react-state-optimizer-core	3.0.4	dc8ee405dd4402addae67ba6546f4f3781d7bdec
react-state-optimizer-core	3.0.5	84aab614cf6ad92b5498398e914a8f22056722d8
react-state-optimizer-core	3.0.6	a1cff6b52b7bfc61d08360af364ff7a4b4b2c504
react-state-optimizer-core	3.0.7	22ada4f5a95fd9b5edb76426b7dddb168145fda7
react-state-optimizer-core	3.0.8	729fbce89101f8f79a57189e89a7e63ee7d61388
react-state-optimizer-core	3.0.9	befa10ca40c2923390db04eb34391c32aa29e611
react-fast-utilsa	2.0.1	e6cfaef4b50d2a4ddd8453bf5a91e81a092d6e09
react-fast-utilsa	2.0.2	56b78d2027cbf7b40dcbd10f17462cd029d13dda
react-fast-utilsa	2.0.3	1d92c73a859096cf107d11c4acd089f7b4e61a5b
react-fast-utilsa	2.0.4	6169a0bc69c94f3a5c13d899ac612d2fabe98611
ai-fast-auto-trader	2.2.1	963b79f59fb2c070a06b9a2af9db2b5512c1ed74
ai-fast-auto-trader	2.2.2	1ac0d6fac272903eb83a885a40c6ce5b2656b6f3
ai-fast-auto-trader	2.2.3	d1a1f76cce48be58e5d72f31ba54e4e2372848ea
ai-fast-auto-trader	2.2.4	f579b2d0b65a3a3cb52be535a591bc8d0f1077b7
ai-fast-auto-trader	2.2.5	870636bcf3d2c0b9c4c12809a19af153ef154260
ai-fast-auto-trader	2.2.6	d22eb34facf13b5c1e820d9e6358eb4cd3797eaa
pkgnewfefame1	3.2.1	2a8c625660ad6bb7d7c953a147c84c0fcc75794b
carbon-mac-copy-cloner	1.1.0	63783f6e59d20e2c664123b349f22dd53d1293d4
carbon-mac-copy-cloner	1.1.1	60c88674128680b7e474607ba0fb8020c141ac71
carbon-mac-copy-cloner	1.1.10	b70a40b199d9a3cbbebfb0c1148b110acf3ec4eb
carbon-mac-copy-cloner	1.1.2	59ca6306e77eb7f93528016dca14964968556310
carbon-mac-copy-cloner	1.1.3	6c17eccf82c7d85a883dfa7feac0be835f827fe3
carbon-mac-copy-cloner	1.1.4	fb147ad540ae975228f8fe7d7fb557ff0670f69f
carbon-mac-copy-cloner	1.1.5	c486f9be10e6db40b8c30c8053dd44a6b2ac867e
carbon-mac-copy-cloner	1.1.6	e91baf3d270a21948833c50da1f0345d20ee1ec7
carbon-mac-copy-cloner	1.1.7	43a361eec666edab60f0e95740cf9e51c06106bc
carbon-mac-copy-cloner	1.1.8	bc3c787cf2b768f0a021fc3ca4fde65658a3f9e5
carbon-mac-copy-cloner	1.1.9	6d115186018b396ea62afce46d6616957bf3d7c0
carbon-mac-copy-cloner	1.2.1	4439720f0722d3c92615114f1099471efd280feb
coinbase-desktop-sdk	1.5.14	cb9208d756dc4d4674801611d8d5f5ba79e76366
coinbase-desktop-sdk	1.5.15	34ba816adda6ab74d0f4bbb04fdb8ed49b1137bb
coinbase-desktop-sdk	1.5.16	46e034baab242c110355eba0937d9e505232e8dc
coinbase-desktop-sdk	1.5.17	c02624f8cefe790b6dee529c7a0e97f4241d79ed
coinbase-desktop-sdk	1.5.19	d5ade32ac52140e6c25f50780dc4ff4d466faddb

[DYING_S0UL]

Another crucial information to note is that some of the evolved versions of this Shai Hulud RAT contain a sort of mechanism called "dead man's switch", meaning if the connection is severed by the user or the exfiltration is somehow stopped, the malware will attempt to erase all oof userdata, as well as overwrite  the disk. So that the users cannot recover any data.

https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/

[cryptomaniac_xxx]

Another crucial information to note is that some of the evolved versions of this Shai Hulud RAT contain a sort of mechanism called "dead man's switch", meaning if the connection is severed by the user or the exfiltration is somehow stopped, the malware will attempt to erase all oof userdata, as well as overwrite  the disk. So that the users cannot recover any data.

https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/

The attack is rely sophisticated, there are even malwares that check if you are running in VPS on is a sandbox, if they know then they will not deploy their malware. Then reading all the footprints of your hardware so make sure that got everything before they can wipe out or just stay hidden in the memory.

And even if you restart your hardware, they are going to be persistence. That's why this malware are really today, and even if you have anti-virus, they can easily bypass it. So for us, it's really very very hard to know that in this example, a npm malware is lace with malware.

As you can see on the package that includes in this attack, one attack vector is coinbase.