Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims.
Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers. However, our automated malware detection systems detected that the latest versions of each of these packages were laden with obfuscated scripts, raising alarms.
Multiple npm crypto packages hijacked
Analyzed by Sonatype security researcher Ali ElShakankiry, the hijacked packages, along with their download counts (for all versions over their lifetime), and malicious version numbers are as follows.
The packages in this campaign are tracked as sonatype-2025-000924.
| Package(s) | Hijacked (malicious) version | Total downloads over lifetime (all versions) |
| country-currency-map | 2.1.8 | 288,851 |
| bnb-javascript-sdk-nobroadcast | 2.16.16 | 38,673 |
| @bithighlander/bitcoin-cash-js-lib | 5.2.2 | 5,413 |
| eslint-config-travix | 6.3.1 |
26,312 |
| @crosswise-finance1/sdk-v2 | 0.1.21 |
886 |
| @keepkey/device-protocol | 7.13.3 |
53,325 |
| @veniceswap/uikit | 0.65.34 |
1,071 |
| @veniceswap/eslint-config-pancake | 1.6.2 |
173 |
| babel-preset-travix | 1.2.1 |
6,902 |
| @travix/ui-themes | 1.1.5 |
5,821 |
| @coinmasters/types | 4.8.16 |
61,626 |
Some of these components have existed on the npm registry for as long as 9 years and provide functionality to crypto developers to interact with blockchain services and protocols.
For example, the "bnb-javascript-sdk-nobroadcast" package which has not had a version published in 4 years, had a new release yesterday which contains malicious code:
Of note is also the "country-currency-map" package which has "PayScale," an American compensation data company, listed as one of the collaborators:
Thankfully, the package maintainer(s) have deprecated the latest (hijacked) version 2.1.8 from yesterday, and recommend using an earlier (safe) 2.1.7 version, published 5 years ago:
Obfuscated scripts exfiltrate environment variables
The latest versions of these packages contain two scripts with heavily obfuscated code:
-
package/scripts/launch.js
-
package/scripts/diagnostic-report.js
These scripts run as soon as the packages are installed, and collect sensitive information from the target system environment such as environment variables (that may often store API keys, access tokens, SSH credentials, etc.).
This information is then exfiltrated to hostname: eoi2ectd5a5tn1h.m.pipedream(.)net.
No changes on GitHub, just npm
It is unclear how exactly did the hijack occur or what the threat actor's motive is.
We observed no recent changes made to GitHub repositories of these packages, despite new versions popping up on npm. As an example, the source code for PayScale's "country-currency-map" repository has not been updated in 5 years, yet a newer version (2.1.8) with malicious code appeared out of nowhere this week on npm.
We hypothesize the cause of the hijack to be old npm maintainer accounts getting compromised either via credential stuffing (which is where threat actors retry usernames and passwords leaked in previous breaches to compromise accounts on other websites), or an expired domain takeover — both common scenarios explained in npm documentation. Given the concurrent timing of the attacks on multiple projects from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be more likely as opposed to well-orchestrated phishing attacks.
Although npm mandated two-factor authentication (2FA) for high impact projects in 2022 (e.g. authors of npm packages receiving 1 million weekly downloads or with more than 500 dependents), some authors still need to enroll in two-factor authentication. Naturally, for abandoned or end-of-life open source projects that are no longer maintained, such protective mandates may be a tad more difficult to enforce, leaving older projects vulnerable to abuse by threat actors.
Open source malware blocked by Sonatype Repository Firewall
This isn't the first time a stunt like this has been pulled, but it's a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
