Several NPM packages used in blockchain development—including one active for nearly a decade—have been hijacked to spread infostealer malware, according to new findings by software supply chain security firm Sonatype.
These compromised packages, once considered safe tools for crypto developers, have recently been updated with hidden malicious code capable of stealing sensitive data from users’ systems. Sonatype warns that these altered versions now pose a serious security risk.
Obfuscated Malware Found in Popular Blockchain Tools
The infected packages were designed to assist developers in building apps that interact with blockchain services. However, the latest versions contain obfuscated installation scripts that secretly run in the background. These scripts extract confidential system data such as:
- Environment variables
- API keys
- SSH credentials
- Access tokens
This data theft happens as soon as the malicious package is installed.
Old Packages, New Threats
Among the targeted libraries is ‘country-currency-map’, which had not seen updates in five years. This week, a new version suddenly appeared on NPM—packed with infostealer malware. The malicious update was quickly deprecated after discovery, with maintainers advising developers to revert to the last safe version.
Another hijacked package, ‘bnb-javascript-sdk-nobroadcast’, had also been inactive for years until a similarly dangerous version surfaced.
In total, at least a dozen packages were compromised, including:
@bithighlander/bitcoin-cash-js-libeslint-config-travix@crosswise-finance1/sdk-v2@keepkey/device-protocol@veniceswap/uikit@veniceswap/eslint-config-pancakebabel-preset-travix@travix/ui-themes@coinmasters/types
Together, these packages have been downloaded around 500,000 times over the years, making the impact of the breach potentially widespread.
Hijackers Bypassed GitHub, Targeted NPM Directly
Interestingly, the GitHub repositories for these packages remained untouched. All malicious code injections were found only in the NPM versions. This suggests that attackers may have gained unauthorized access to NPM publisher accounts—possibly through credential stuffing attacks targeting old or inactive maintainers.
Weak Security Measures Leave Projects Vulnerable
Although NPM enforced mandatory two-factor authentication (2FA) in 2022 for high-impact projects (those with over a million weekly downloads or 500+ dependents), not all maintainers are yet enrolled in 2FA protection.
Sonatype emphasized this gap in its report, stating, “Some authors still need to enroll in two-factor authentication,” leaving the door open for further hijacks.
Why This Matters for Developers
This attack highlights ongoing risks in the software supply chain, particularly for open-source tools widely used in blockchain and crypto development. Developers relying on NPM must stay alert, verify package versions, and avoid installing recently published updates to long-dormant packages without inspecting the code.
Cybersecurity experts recommend always locking dependencies to specific, known-safe versions and enabling 2FA for all developer accounts to reduce the risk of account takeover.
