Stealing Bitcoin with NPM namesquatting

The following is an idea of how one could try to steal cryptocurrencies that I believe could be very effective. The idea consists of two attack vectors:

Attack vector 1: Your wallet is on your disk

When you download a desktop wallet such as Bitcoin Core, it saves your wallet on the filesystem. There are two types of wallets: Unencrypted wallets will give anyone who has the file immediate access to all assets in the wallet, while encrypted wallets will require a password to access the funds.

The Bitcoin Core wallet by default is not encrypted. This leaves unexperienced users exposed to a huge risk, because all processes that can read the filesystem have access to the private keys of the wallet. The Electrum wallets (Electrum Bitcoin, Electrum-LTC, Electron Cash) also allow you to skip setting a password without too much complaining.

Getting the unecrypted seed for your Electrum-LTC wallet from the command line. Having the seed means having full access to the wallet.

This is why it is super important that you set a password in your desktop wallet, even if only you have physical access to the computer. But even then, exposing your encrypted wallet is not ideal. If your password is not strong, it can be bruteforced using a password attack.

Attack vector 2: Deploying malicious code on NPM

Whenever you “npm install” something, the package you install has the chance to run arbitrary code on your computer using the “postinstall”. Yes, any package you install has the chance to read the /etc/passwd file on your computer and send it to a server.

About a year ago, I tried to install a command-line tool called “babel-node”, but I typed in the wrong command. I typed in “npm install -g babel-node”, but the correct way to install it would have been “npm install -g babel-cli”.

The package name “babel-node” was not yet taken though and I thought this would be a common mistake people make, so I published a joke module that would try to read the users Github username and show a personalized dialog message to the user before exiting and doing no harm.

So how many people fell for my fake module? Turns out the package has been installed over 96'000 times since then according to npm-stats.com! Check out the reactions from some people on Twitter:

My point is, using this technique, it is relatively easy to get people to run your code on their machine. It is also important to emphasize that the module does not need to be required from code, but runs during the installation process. As soon as you mistype, you are at risk.

Namesquatting NPM packages for profit

A malicious NPM module can easily be made. Here is my unsophisticated proof of concept. If I were to publish this module and you were to type “npm install experss” by accident, maybe I would steal your coins. You might not even immediately notice you made a typo, because it still installs express and you can use it in your project.

This is why you need a hardware wallet

This is a good argument against storing your coins on a computer, only a hardware wallet will protect you from this relatively trivial attack. Stay safe and if you liked this post, consider buying a Nano Ledger S with my affiliate link!