Malicious crypto-theft package targets Web3 developers in North Korean operation
Contents
Last week, our automated malware analysis pipeline flagged a suspicious package web3-wrapper-ethers
. The package impersonates the popular ethers
library and contains obfuscated code designed to steal private keys. Our investigation revealed that the package may be associated with the threat actor known as Void Dokkaebi
, a group known for stealing cryptocurrency from developers involved in the development of web3, blockchain, and cryptocurrency technologies.
The package
The package was initially released on June 5th at 12:45 AM GMT+0:
We see some tell-tale signs that this package is built to deceive. The package name is web3-wrapper-ethers
, but the repository field points at the ethers.js
project on GitHub. Indeed, the attackers simply copied the repository and made minor modifications. They released a total of 5 versions within a day.
The author
The package was released by kaufman0913
, with the matching email of kaufman0913@gmail[.]com
.Â
The choice of a very low-resolution picture of Rapunzel is.. interesting. But let's not get tangled up in …
. The package impersonates the popular ethers
library and contains obfuscated code designed to steal private keys. Our investigation revealed that the package may be associated with the threat actor known as Void Dokkaebi
, a group known for stealing cryptocurrency from developers involved in the development of web3, blockchain, and cryptocurrency technologies.
The package
The package was initially released on June 5th at 12:45 AM GMT+0:
We see some tell-tale signs that this package is built to deceive. The package name is web3-wrapper-ethers
, but the repository field points at the ethers.js
project on GitHub. Indeed, the attackers simply copied the repository and made minor modifications. They released a total of 5 versions within a day.
The author
The package was released by kaufman0913
, with the matching email of kaufman0913@gmail[.]com
.Â
The choice of a very low-resolution picture of Rapunzel is.. interesting. But let's not get tangled up in …
IoC
74.119.194.244
fd81fc4d8379f535510c1f064549472e5a1dd26c32c1937c1e23db1b56bfb42f
ff47554247f2094dda55b84b7da6e6c9
fd81fc4d8379f535510c1f064549472e5a1dd26c32c1937c1e23db1b56bfb42f
ff47554247f2094dda55b84b7da6e6c9