←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
DDerTyp ◴[08 Sep 25 16:16 UTC] No.45170133[source]
One of the most insidious parts of this malware's payload, which isn't getting enough attention, is how it chooses the replacement wallet address. It doesn't just pick one at random from its list.

It actually calculates the Levenshtein distance between the legitimate address and every address in its own list. It then selects the attacker's address that is visually most similar to the original one.

This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit of only checking the first and last few characters of an address before confirming a transaction.

We did a full deobfuscation of the payload and analyzed this specific function. Wrote up the details here for anyone interested: https://jdstaerk.substack.com/p/we-just-found-malicious-code...

Stay safe!

replies(5): >>45170393 #>>45170458 #>>45172015 #>>45173594 #>>45180351 #
oasisbob ◴[08 Sep 25 16:35 UTC] No.45170393[source]
> This is a brilliant piece of social engineering baked right into the code. It's designed to specifically defeat the common security habit ...

I don't agree that the exuberance over the brilliance of this attack is warranted if you give this a moment's thought. The web has been fighting lookalike attacks for decades. This is just a more dynamic version of the same.

To be honest, this whole post has the ring of AI writing, not careful analysis.

replies(3): >>45170567 #>>45171008 #>>45172296 #
1. withinboredom ◴[08 Sep 25 17:20 UTC] No.45171008[source]
> To be honest, this whole post has the ring of AI writing, not careful analysis.

It has been what, hours? since the discovery? Are you expecting them to spend time analysing it instead of announcing it?

Also, nearly everyone has AI editing content these days. It doesn’t mean it wasn’t written by a human.

replies(1): >>45178875 #
2. bbarnett ◴[09 Sep 25 07:54 UTC] No.45178875[source]
Just for a counter, "nearly everyone" seems wildly ambitious.

I want no part of AI in any form of my communication, and I know many which espouse the same.

I will certainly agree on "many", but not "nearly everyone".