is-arrayish npm Package Malware Injection Vulnerability

A vulnerability in the 'is-arrayish' npm package, specifically in version 0.3.3, allows for the injection of malware that redirects cryptocurrency transactions to attacker-controlled addresses. This issue arose from a phishing attack that compromised the package author's npm account, leading to the publication of a malicious version. The malware targets transactions in browser environments, including those using popular bundling tools and frameworks. It specifically affects wallets like MetaMask by intercepting and altering transaction data before it is signed, creating a risk of unauthorized fund transfers.

Impact

The vulnerability introduces a malware payload that hijacks cryptocurrency transactions, redirecting funds to addresses controlled by the attacker. This manipulation occurs without the user's knowledge, as the malware operates discreetly in the background, especially targeting transactions involving decentralized exchanges.

Reproduction

The vulnerability can be reproduced by including the 'is-arrayish' package version 0.3.3 in a project that will be run in a browser environment. This can be done by adding the package to the project's dependencies and then bundling the application with a tool that supports JavaScript modules, such as Rollup or Vite. Once the application is built and served in a browser, the malware will activate if a cryptocurrency wallet is connected.

Remediation

Users should update the 'is-arrayish' package to version 0.3.4, which removes the malware. After updating, it's recommended to completely delete the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries should purge the compromised version from their cache.