Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages

Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation's Hardhat tool in order to steal sensitive data from developer systems.
"By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details," the Socket research team said in an analysis.
Hardhat is a development environment for Ethereum software, incorporating various components for editing, compiling, debugging and deploying smart contracts and decentralized apps (dApps).
The list of identified counterfeit packages is as follows -
- nomicsfoundations
- @nomisfoundation/hardhat-configure
- installedpackagepublish
- @nomisfoundation/hardhat-config
- @monicfoundation/hardhat-config
- @nomicsfoundation/sdk-test
- @nomicsfoundation/hardhat-config
- @nomicsfoundation/web3-sdk
- @nomicsfoundation/sdk-test1
- @nomicfoundations/hardhat-config
- crypto-nodes-validator
- solana-validator
- node-validators
- hardhat-deploy-others
- hardhat-gas-optimizer
- solidity-comments-extractors
Of these packages, @nomicsfoundation/sdk-test has attracted 1,092 downloads. It was published over a year ago in October 2023. Once installed, they are designed to harvest mnemonic phrases and private keys from the Hardhat environment, following which they are exfiltrated to an attacker-controlled server.
"The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files," the company said.
"The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration."
The disclosure comes days after the discovery of another malicious npm package named ethereumvulncontracthandler that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but instead harbored functionality to drop the Quasar RAT malware.
In recent months, malicious npm packages have also been observed using Ethereum smart contracts for command-and-control (C2) server address distribution, co-opting infected machines into a blockchain-powered botnet called MisakaNetwork. The campaign has been tracked back to a Russian-speaking threat actor named "_lain."
"The threat actor points out an inherent npm ecosystem complexity, where packages often rely on numerous dependencies, creating a complex 'nesting doll' structure," Socket said.
"This dependency chain makes comprehensive security reviews challenging and opens opportunities for attackers to introduce malicious code. _lain admits to exploiting this complexity and dependency sprawl in npm ecosystems, knowing that it is impractical for developers to scrutinize every single package and dependency."
That's not all. A set of phony libraries uncovered across the npm, PyPI, and RubyGems ecosystems have been found leveraging out-of-band application security testing (OAST) tools such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers.
The names of the packages are as follows -
- adobe-dcapi-web (npm), which avoids compromising Windows, Linux, and macOS endpoints located in Russia and comes with capabilities to collect system information
- monoliht (PyPI), which collects system metadata
- chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems), which contain embedded scripts designed to transfer sensitive information via DNS queries to an oastify.com endpoint
"The same tools and techniques created for ethical security assessments are being misused by threat actors," Socket researcher Kirill Boychenko said. "Originally intended to uncover vulnerabilities in web applications, OAST methods are increasingly exploited to steal data, establish command and control (C2) channels, and execute multi-stage attacks."
To mitigate the supply chain risks posed by such packages, it's recommended that software developers verify package authenticity, exercise caution when typing package names, and inspect the source code before installation.
Microsoft may have scrapped Windows 11's dynamic wallpapers feature
⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [6 Jan]
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner