4 Minutes
Microsoft warns of npm packages distributing a crypto-stealing RAT
Microsoft has issued a warning that two npm packages have been weaponized to deploy a remote access trojan (RAT) designed to harvest cryptocurrency wallet credentials and other sensitive developer secrets. The discovery underscores an ongoing supply-chain threat that targets the tooling and machines used to build and operate crypto infrastructure.
Attack details: poisoned npm packages and unexpected exfiltration
Microsoft Threat Intelligence identified two compromised npm modules — [email protected] and [email protected] — that install malware able to log keystrokes, capture screenshots and scrape files that often include wallets, API keys and authentication tokens. The attackers then used Hugging Face repositories to move stolen data, a tactic that can blend exfiltration into legitimate AI/ML traffic and reduce detection by traditional security controls.
Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials.
Why developers and crypto users are at risk
npm is a widely used public registry for JavaScript packages. When a developer installs a compromised dependency, the malware can run silently on the host machine and hunt for valuable artifacts: browser extension wallets, private keys, seed phrase files, exchange API keys, GitHub tokens, and cloud credentials. Compromised developer systems provide attackers with direct routes to drain wallets, hijack trading accounts or push malicious code into production environments.
Supply-chain context: this is part of a larger trend
This alert follows recent supply-chain incidents affecting the crypto and developer ecosystems. Earlier campaigns — including the TrapDoor operation — abused packages across npm, PyPI and Rust registries to steal credentials and access secrets. Other reports have highlighted malicious Axios releases and npm payloads that install cross-platform RATs or plain-crypto-js malware, specifically targeting crypto and AI developers.
Cryptojacking and GPU miner threats
Microsoft also recently flagged separate campaigns that used poisoned search results and fake utility downloads to deliver GPU mining malware to high-performance systems. Those attacks leveraged fraudulent installers for tools like CrystalDiskInfo and HWMonitor and exploited remote administration software such as ScreenConnect to run cryptominers, putting gamers, hardware enthusiasts and developer workstations at risk.
Practical mitigation steps for developers and crypto holders
Security teams and individual developers should treat this warning as a prompt to strengthen controls across the software supply chain and developer workstations.
Immediate actions
- Audit recent npm installs and dependency manifests; remove or replace suspicious packages. - Rotate credentials and API keys that were present on potentially infected machines. - Revoke and re-issue GitHub tokens and cloud service keys stored on compromised hosts. - Inspect wallet activity and transaction logs; report unauthorized activity to exchanges immediately.
Ongoing hardening
- Avoid storing seed phrases or private keys on internet-connected devices; prefer hardware wallets for custody. - Use dependency-scanning tools, SBOMs (software bill of materials), and package signing to verify artifacts before install. - Segregate developer environments from keys and production secrets; lock down CI/CD with least-privilege credentials. - Enable endpoint detection and response (EDR), network monitoring for anomalous outbound traffic, and block unexpected exfiltration paths, including abuse of third-party cloud or AI hosting platforms. - Verify all wallet transactions before signing and enable multi-factor authentication on exchanges and key services.
Takeaway
The Microsoft advisory is a reminder that modern attackers target builders as a shortcut to valuable targets. For the crypto sector, securing developer workflows, vetting open-source dependencies and isolating private keys are essential defenses against npm-based RATs, cryptojacking and other supply-chain threats. Stay vigilant: audit dependencies, rotate exposed credentials, and move sensitive keys to cold or hardware storage to reduce the risk of catastrophic loss.
Source: crypto
Comments
Marius
Is this even true? Using Hugging Face for exfiltration sounds clever but also kinda obvious to spot. If that's real then check EDR, rotate tokens, audit npm installs asap. ugh
atomwave
wow, didn't expect npm libs to hide a RAT. rotate keys, check deps now! this is why I use hardware wallets, lol. seriously, patch your ci, ppl
Leave a Comment