Article Posted on Mar 28, 2025 by Ravie Lakshmanan
Tags: Cryptocurrency / Developer Security

Cybersecurity researchers have made a disturbing discovery, uncovering several cryptocurrency packages on the npm registry that have been compromised to steal sensitive information, including environment variables, from affected systems.

According to Sonatype researcher Ax Sharma, "Some of these packages have been available on npmjs.com for over 9 years, providing legitimate functionality to blockchain developers. However, the latest versions of each of these packages contain obfuscated scripts." This highlights the potential risks associated with using outdated or unverified packages in development projects.

The following packages have been identified as having been hijacked:

• country-currency-map (2.1.8)
• bnb-javascript-sdk-nobroadcast (2.16.16)
• @bithighlander/bitcoin-cash-js-lib (5.2.2)
• eslint-config-travix (6.3.1)
• @crosswise-finance1/sdk-v2 (0.1.21)
• @keepkey/device-protocol (7.13.3)
• @veniceswap/uikit (0.65.34)
• @veniceswap/eslint-config-pancake (1.6.2)
• babel-preset-travix (1.2.1)
• @travix/ui-themes (1.1.5)
• @coinmasters/types (4.8.16)

Upon analysis, it was found that these packages contain heavily obfuscated code in two scripts: "package/scripts/launch.js" and "package/scripts/diagnostic-report.js." This code is designed to harvest sensitive data such as API keys, access tokens, and SSH keys, which are then exfiltrated to a remote server.

Notably, the GitHub repositories associated with these libraries have not been modified to include the malicious code, which raises questions about how the threat actors managed to push the compromised packages. The ultimate goal of this campaign is currently unknown.

Sharma hypothesizes that the cause of the hijack may be attributed to old npm maintainer accounts being compromised through credential stuffing or an expired domain takeover. Given the concurrent timing of the attacks on multiple projects from distinct maintainers, the first scenario appears more likely.

These findings emphasize the importance of securing accounts with two-factor authentication (2FA) to prevent takeover attacks. Moreover, they highlight the challenges associated with enforcing security safeguards when open-source projects reach end-of-life or are no longer actively maintained.

As Sharma notes, "The case highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies."

Stay Updated
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.