An illicit npm package called 'crypto-encrypt-ts' may appear to revive the unmaintained but vastly popular CryptoJS library, but what it actually does is peek into your crypto wallet and exfiltrate your secrets to threat actors.
Discovered by Sonatype's automated malware detection systems, the counterfeit 'crypto-encrypt-ts' has been downloaded more than 1,928 times already since its publication.
Pretends to revive the CryptoJS library
The vastly popular CryptoJS library on npm, now unmaintained, continues to be downloaded millions of times weekly, with its forks like 'crypto-ts' garnering similar traction.
Because of this, it's not surprising that threat actors were inspired to publish a counterfeit 'crypto-encrypt-ts' package that appears to mimic these legitimate libraries, but accomplishes nefarious tasks instead.
Analyzed by Sonatype Security Researcher, Jeff Thornhill, and tracked as sonatype-2025-001329, the malicious 'crypto-encrypt-ts' touts itself as the "TypeScript" spinoff of the discontinued CryptoJS library that gets over 8,000,000 weekly downloads. It even borrows documentation from the legitimate package(s), and has managed to hit 1,928 downloads already.
The package published by npm user 'crypto-security-tool' is their only package on the registry.
Abuses Better Stack (formerly Logtail) to steal crypto wallet keys
The package is seen abusing the legitimate Better Stack (formerly called Logtail) service to exfiltrate data to an endpoint setup by the threat actor. Better Stack is a platform for collecting and seamlessly analyzing logs from any stack to "debug any issue, and resolve any incident."
In particular, Thornhill pointed out the usage of Better Stack's @logtail/node npm package in the "start.js" file. The endpoint shown below, in the package, is where the collected data is being siphoned off to:
s1287874.eu-nbg-2.betterstackdata[.]com
As evident from the code above (in v5.4.2), the package searches for MongoDB connection information on the system and if found, attempts to retrieve cryptocurrency wallet addresses and their balances, as well as environment variables. The presence of code comments and console messages in Turkish is another interesting piece, potentially alluding to the counterfeit component's origins.
Targets wallets with more than 1000 in crypto balance
Subsequent iterations of the code in higher versions (e.g. v5.4.5) are seen looking exclusively for wallets with a balance greater than 1000 in crypto, and fetching private keys as well, before exfiltrating this information via the aforementioned Better Stack endpoint.
Gains persistence via cron jobs
The counterfeit component uses the 'pm2' library to schedule a cron job that lets it run indefinitely at repeat intervals for continuous data collection. pm2 is a production process manager for Node.js/Bun applications that lets you "keep applications alive forever" and to reload them without downtime.
Most recent versions of the package contain code which is further evolved and obfuscated, making it hard to become aware of the true purpose of the copycat component.
We have notified the npm registry of the malicious package prior to publishing and recommend removing any and all versions of 'crypto-encrypt-ts' from your system immediately.
Open source malware blocked by Sonatype Repository Firewall
This isn't the first time a stunt like this has been pulled. Last month, Sonatype first reported a case of multiple open source cryptocurrency libraries being hijacked and turned into crypto stealers by hostile actors.
Incidents like these are a stark reminder of threat actors' evolving tactics and commitment to exploiting the open source ecosystem for nefarious reasons. The event yet again highlights a pressing need for improved supply chain security measures and greater vigilance in monitoring third-party software registries developers. Organizations must prioritize security at every stage of the development process to mitigate risks associated with third-party dependencies.
Sonatype Repository Firewall and Sonatype Lifecycle stay on top of nascent attacks and vulnerabilities and provide you with detailed insights to thwart previously undetected malware, Potentially Unwanted Applications (PUAs), and vulnerable components from reaching your builds:
Malicious open source is designed to evade typical software composition analysis (SCA) scanners. However, users of Sonatype Repository Firewall can rest easy knowing that these packages would automatically be blocked from reaching their development builds and keep their software development life cycle (SDLC) hygienic.
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and ...
Explore All Posts by Ax Sharma