Supply Chain Warfare: Advanced Typosquatting Targets Web3 Development Ecosystems

June 12, 2026

Threat actors are increasingly weaponizing the inherent trust placed in open-source dependencies to target Web3 engineering teams. By deploying sophisticated typosquatting campaigns via the npm registry, attackers are transforming routine dependency installations into high-speed conduits for wallet theft, secret harvesting, and multi-stage malware deployment.

This specific campaign is particularly insidious because it leverages the established branding of Ethereum and prominent blockchain utilities. Rather than waiting for manual execution, the malware exploits postinstall and preinstall lifecycle hooks, ensuring malicious code executes automatically the moment a developer runs npm install.

According to a technical report from Cyfirma, researchers identified 11 highly suspicious npm packages designed to impersonate industry-standard tools. These packages mimic legitimate projects such as Ethereum, Coinbase Wallet, Moralis, and Hardhat to deceive even seasoned developers.

The technical objectives of these packages range from reconnaissance and credential theft to remote payload delivery. Most critically, certain variants are engineered to intercept private keys and mnemonic phrases directly from the memory or local storage during wallet creation workflows.

Tactical Execution: Deceptive Wrappers and Trojanized SDKs

The attackers have organized their campaign into distinct tactical clusters:

  • Deceptive Wrappers: Packages like ethers-jss and coinbase-wallet-utils act as functional wrappers that include malicious lifecycle hooks to trigger code execution immediately upon installation.
  • Trojanized SDKs: The moralis-sdk cluster represents a significantly larger threat. These packages appear to be legitimate copies of the original Moralis SDK, including documentation and source files, but include a hidden, malicious postinstall stage. Given its high profile, this specific variant has seen over 2.7 million downloads, dramatically increasing its potential blast radius.
Package Metadata Analysis (Source: Cyfirma)
Package Metadata Analysis (Source: Cyfirma)

This operation exploits the “human error” element of development. A developer searching for a specific library may inadvertently install a lookalike package due to a minor typo. To further minimize detection during manual code reviews, the attackers utilize brand impersonation, code obfuscation, and lightweight package structures that blend into a standard project directory.

Advanced Tradecraft and On-Chain C2

The sophistication of this campaign moves beyond simple “dropper” behavior. The malware demonstrates high-maturity tradecraft, including:

  • Environment Scraping: Automated harvesting of .env files, SSH keys, environment variables, and Web3-specific configuration files.
  • Multi-Stage Payloads: The ability to pull secondary payloads from remote servers once the initial infection is established.
  • Blockchain-Assisted C2: In a highly specialized move, the attackers use blockchain-assisted command-and-control (C2) and exfiltration paths, making it incredibly difficult for traditional network monitoring tools to flag the traffic as malicious.

This capability allows attackers to pivot from a single compromised developer workstation to high-value targets, including cloud credentials, CI/CD pipelines, and production-level wallets.

Download Activity (Source: Cyfirma)
Download Activity (Source: Cyfirma)

Mitigating the Blast Radius in Web3 Environments

The structural vulnerability in blockchain development lies in the speed of the ecosystem. Web3 teams rely on rapid updates and highly privileged secrets stored in local development environments. When malicious code enters this workflow, the damage is not limited to source code; it extends to private keys, deployment credentials, and direct financial assets.

Anomalies within the packages further highlight the malicious intent. For example, the discovery of docker_hunter.py inside an Ethereum-focused utility package is a significant red flag, as the script has no functional relevance to the package’s stated purpose. Similarly, the use of cloned Moralis SDK files serves only to provide a veneer of authenticity.

For security teams, these findings underscore that dependency auditing, strict lockfile management, package-name verification, and automated secret scanning are no longer optional—they are fundamental pillars of Web3 security architecture.

Trojanized Moralis SDK Package (Source: Cyfirma)
TROJANIZED MORALIS SDK PACKAGE (Source: Cyfirma)

INDICATORS OF COMPROMISE (IOCs)

No. Indicator Type Remarks
1. 53b91117db931d3acbbfd15aa8400bb6691e023d SHA1 ethers-jss package archive
2. d94a2444268b339dfda2615f7800322fb318e0a484414bb17016cfcd5eb07c44 SHA256 ethers-jss package archive
3. 63154cd9c79f9d14eb9be6c4efc2a778d31646ec SHA1 coinbase-wallet-utils package archive
4. 6585ca0d3e26c20ced638f46f4a89eea924d411b8753d3fcf434663593c7cf0b SHA256 coinbase-wallet-utils package archive
5. 74d3d5ab6d0fa4c6a5860598231728a6a893ecf7 SHA1 moralis-sdk v1.0.1 package archive
6. 17bad5ae5b2ac262f5f18854853869840245c344105aa38c7f550ef51d2e5f26 SHA256 moralis-sdk v1.0.1 package archive
7. fcc8a542aad41e758cf6c18571048890be53808e SHA1 ganach package archive
8. 7269c00a6164fd01dd516e0a72b2bd84c82e78feb552e06964e4992ff0479dda SHA256 ganach package archive
9. 70842cfc27b116d0db2fd7aa33d53a3faf510993 SHA1 solidty package archive
10. e848d73a68e4e8aea00a6257552b5872907dfaf7cce3d94636d7e59d286edeab SHA256 solidty package archive
11. e1bdcd1a7157f7d047a88ab4573723fe1e861951 SHA1 stelar-sdk package archive
12. 2fa5b0475c3b70a3ba14c6a3938baf441a08b11841493b85e087d1d5e01eba49 SHA256 stelar-sdk package archive
13. pastefy[.]app/RhPBKGli/raw URL Base64-encoded PowerShell payload hosting
14. 193[.]233[.]201[.]21:3001 C2 Remote payload distribution server
15. 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b Contract Ethereum Smart Contract for dynamic infrastructure retrieval
16. 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84 Wallet Queried by smart contract to obtain C2 configuration
17. 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f Wallet Target address for exfiltration transactions
18. d6abc7003b580472d808b338adef0b28eacc698cd4692f76cb2a91718ab78d88 SHA256 hardhat-deploy-utils package archive
19. bab96257018df49ace8fe8adfadc74cf8327fcf9a9dc8a3a7c9ac8e18881df5f SHA256 web3-deploy-helper package archive
20. d7ec660a2a29c1aabcbe9bff1ef29be9a9fab8c7fe7c40df4772dd2b5bdf9666 SHA256 defi-sdk-core package archive
21. 5c50f79038b31aa8a3a68b24d8b783dfbd2e15fff7586c5609e544a717ef7d05 SHA256 ethers-compat package archive
22. feabf10c8a9ba2775bb0f7f9d0b20203112b7df8e6d333a44d5a11eae0e38e86 SHA256 ethereum-dev-utils package archive

Security Advisory: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental execution. Re-fang only within controlled threat intelligence environments.

Tags
June 12, 2026

Related Articles

The Cascading Risk Profile: Analyzing the Evolution of Cyber Threats in Aviation and Aerospace

May 6, 2026

Crypto Platform OKX Suspends Tool Abused by North Korean Hackers

March 18, 2025

Infrastructure Analysis: Leveraging Bulletproof Hosting for Global JavaScript Malware Campaigns

May 28, 2026

Ivanti Fully Patched Actively Exploited Connect Secure RCE Vulnerability

April 4, 2025
© Copyright 2026, All Rights Reserved  |  PlanetJon
Back to top button