Malicious npm package mimicking CryptoJS targets cryptocurrency wallets
Cybersecurity researchers at Sonatype have identified a harmful npm package named "crypto-encrypt-ts" designed to impersonate the legitimate but unmaintained CryptoJS library to exfiltrate cryptocurrency and sensitive user data, according to HackRead. The package masquerades as a TypeScript-compatible version of CryptoJS, even replicating elements of the official documentation to appear authentic. Uploaded by an unknown user with no other packages, the malware transmits stolen data using the Better Stack logging service. It has been downloaded over 1,900 times since its introduction to the npm registry. Detailed analysis revealed that the malicious code, especially in version 5.4.2, seeks MongoDB credentials, environment variables, and cryptocurrency wallet information. Later versions selectively target wallets with balances over 1,000 units, stealing private keys and forwarding them to a server controlled by the attacker. Persistence is achieved through the use of the pm2 process manager and Cron Jobs. The presence of Turkish language comments in the code suggests a possible geographic origin. Sonatype has reported the package to npm, advising immediate removal.
