error-ex Phishing Compromise Leads to Cryptocurrency Wallet Hijacking

A supply chain attack has been identified in the 'error-ex' npm package, specifically in version 1.3.3. This version was published following a phishing attack that compromised the package author's npm account. The malicious code added to 'error-ex' targets cryptocurrency transactions by redirecting funds to attacker-controlled addresses. This interception occurs within browser environments, including popular frameworks and bundling tools. The attack exploits Web3 functionalities, particularly targeting wallets like MetaMask, by replacing legitimate wallet addresses with those of the attacker before transactions are signed. The compromised version has been removed from the npm registry, and users are advised to update to version 1.3.4, the first non-compromised version.

Impact

The vulnerability allows for unauthorized interception and manipulation of cryptocurrency transactions, redirecting funds from the victim's wallet to that of the attacker. This occurs without the user's knowledge, as the transaction appears normal until it is signed and executed.

Reproduction

The vulnerability can be reproduced by including 'error-ex' version 1.3.3 in a project and bundling it for browser use. Once the package is active in a browser environment, the malware will intercept cryptocurrency transactions, particularly those involving decentralized exchanges, and redirect funds to attacker-controlled addresses.

Remediation

Users should update 'error-ex' to version 1.3.4, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries should purge the compromised version from their caches.