Coinbase, npm and Moralis: Malicious npm Packages Abuse Postinstall Scripts to Steal Ethereum Private Keys and Mnemonic Phrases

Coinbase, npm and Moralis: Malicious npm Packages Abuse Postinstall Scripts to Steal Ethereum Private Keys and Mnemonic Phrases

Sophisticated npm Supply Chain Attack Targets Blockchain Developers

A newly uncovered software supply chain attack has compromised blockchain developers through eleven malicious npm packages, designed to steal cryptocurrency wallet credentials and infiltrate development environments. Discovered by Cyfirma Research, the campaign exploited open-source ecosystems to target Web3 projects and cloud-native infrastructure, amassing over 2.7 million downloads and significantly expanding its reach.

The attack employed typosquatting and impersonation tactics, tricking developers into installing packages that mimicked legitimate tools. Three distinct clusters of malicious packages were identified:

  1. Coinbase Wallet Utils – Functioned as an information stealer, conducting host reconnaissance and exfiltrating sensitive data to attacker-controlled servers.
  2. moralis-sdk – The most downloaded package, containing an obfuscated post-install script that initiated a multi-stage infection chain, downloading and executing remote payloads.
  3. Typosquatted packages (e.g., Ganach, Solidity, Stelar-sdk) – Leveraged blockchain-based command-and-control infrastructure to dynamically deploy platform-specific malware.

Additionally, an npm user named ethcompat published five malicious packages, including hardhat-deploy-utils and ethers-compat, which harvested deployment credentials, SSH keys, and wallet secrets collectively garnering over 2,200 downloads.

The primary attack vector relied on npm post-installation scripts, which executed malicious code automatically upon package installation, requiring no further user interaction. The campaign underscores the growing threat of supply chain attacks in open-source ecosystems, particularly against cryptocurrency and decentralized finance (DeFi) projects.

Indicators of compromise (IoCs) include SHA1/SHA256 hashes for malicious packages such as ethers-jss and coinbase-wallet-utils, though attacker-controlled domains and IPs remain defanged to prevent accidental resolution.

Source: https://cyberpress.org/npm-packages-abuse-postinstall-scripts/

Coinbase TPRM report: https://www.rankiteo.com/company/coinbase

npm TPRM report: https://www.rankiteo.com/company/npm-inc-

Moralis TPRM report: https://www.rankiteo.com/company/moralisweb3

"id": "mornpmcoi1781267690",
"linkid": "moralisweb3, npm-inc-, coinbase",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Cryptocurrency, Decentralized Finance '
                                    '(DeFi), Software Development',
                        'type': 'Blockchain developers, Web3 projects, DeFi '
                                'projects'}],
 'attack_vector': 'Malicious npm packages (post-installation scripts)',
 'data_breach': {'data_exfiltration': 'Yes (to attacker-controlled servers)',
                 'personally_identifiable_information': 'Potentially (wallet '
                                                        'credentials, SSH '
                                                        'keys)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Cryptocurrency wallet '
                                              'credentials',
                                              'Deployment credentials',
                                              'SSH keys',
                                              'Wallet secrets']},
 'description': 'A newly uncovered software supply chain attack has '
                'compromised blockchain developers through eleven malicious '
                'npm packages, designed to steal cryptocurrency wallet '
                'credentials and infiltrate development environments. The '
                'campaign exploited open-source ecosystems to target Web3 '
                'projects and cloud-native infrastructure, amassing over 2.7 '
                'million downloads. The attack employed typosquatting and '
                'impersonation tactics, tricking developers into installing '
                'packages that mimicked legitimate tools. Three distinct '
                'clusters of malicious packages were identified: Coinbase '
                'Wallet Utils (information stealer), moralis-sdk (multi-stage '
                'infection chain), and typosquatted packages (e.g., Ganach, '
                'Solidity, Stelar-sdk) leveraging blockchain-based '
                'command-and-control infrastructure. Additionally, an npm user '
                'named ethcompat published five malicious packages, including '
                'hardhat-deploy-utils and ethers-compat, which harvested '
                'deployment credentials, SSH keys, and wallet secrets.',
 'impact': {'data_compromised': 'Cryptocurrency wallet credentials, deployment '
                                'credentials, SSH keys, wallet secrets',
            'identity_theft_risk': 'High (wallet credentials, PII)',
            'operational_impact': 'Infiltration of development environments, '
                                  'potential unauthorized access to systems',
            'payment_information_risk': 'High (cryptocurrency wallet '
                                        'credentials)',
            'systems_affected': 'Development environments, Web3 projects, '
                                'cloud-native infrastructure'},
 'initial_access_broker': {'entry_point': 'Malicious npm packages',
                           'high_value_targets': 'Blockchain developers, Web3 '
                                                 'projects'},
 'lessons_learned': 'Growing threat of supply chain attacks in open-source '
                    'ecosystems, particularly against cryptocurrency and DeFi '
                    'projects. Need for stricter verification of npm packages '
                    'and awareness of typosquatting risks.',
 'motivation': 'Financial gain (cryptocurrency theft), credential harvesting',
 'post_incident_analysis': {'corrective_actions': ['Enhanced npm package '
                                                   'verification processes',
                                                   'Developer education on '
                                                   'supply chain risks',
                                                   'Implementation of security '
                                                   'tools to detect malicious '
                                                   'scripts'],
                            'root_causes': ['Typosquatting and impersonation '
                                            'of legitimate npm packages',
                                            'Automatic execution of malicious '
                                            'post-install scripts',
                                            'Lack of verification for npm '
                                            'package authenticity']},
 'recommendations': ['Verify npm package authenticity before installation',
                     'Monitor post-installation script behavior',
                     'Use package managers with built-in security checks',
                     'Educate developers on typosquatting and impersonation '
                     'risks',
                     'Implement multi-factor authentication for sensitive '
                     'credentials'],
 'references': [{'source': 'Cyfirma Research'}],
 'response': {'third_party_assistance': 'Cyfirma Research'},
 'title': 'Sophisticated npm Supply Chain Attack Targets Blockchain Developers',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Typosquatting, impersonation, and automatic '
                            'execution of post-install scripts'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.