Alert | KuCoin Security Team Captures Supply Chain Attack Targeting Exchange Users

On February 12, 2025, the Kucoin security team detected a supply chain attack targeting users of major centralized exchanges (CEXs) through its self-developed security scanning platform. The team quickly responded and analyzed the malicious behaviors embedded in the dependency package. As of now, the malicious dependency has been downloaded hundreds of times. Kucoin’s security team has reported the malicious dependency to NPM’s official team and is issuing this alert to warn users to stay vigilant. 

Sample Behavior 

Kucoin’s security scanning platform detected a dependency package disguised as the Kucoin API SDK in the official NPM repository. When installed via npm, this package retrieves secret keys stored on the user’s server or local machine and sends them to the malicious domain: http://ihlkoqayjlegsltkrlhf1sg6hpfdbmrgy[.]oast[.]fun

Sample Analysis

Analysis through Kucoin’s sandbox scanning platform revealed that this malicious dependency was masquerading as SDK dependency packages related to both Kucoin and Kraken on the NPM official repository.

These types of dependencies employ obfuscated names to trick users into installing fake dependency packages. During the installation process, they embed malicious commands that extract secret key files from the user’s local environment or server and send the data to a malicious domain via DNSlog.

The specific trigger point of the malicious behavior is as follows: the malicious command is executed during the pre-installation phase of the dependency package.

All 10 dependency packages in the repository of this malicious source exhibit the same behavior. 

Attacker Profile 

The investigation uncovered the following registration details associated with the attacker on the NPM official repository: 

Username: superhotuser1
Email: tafes30513@shouxs[.]com 

According to verifymail.io, the domain shouxs[.]com is associated with temporary email services, indicating that the attacker is an experienced hacker skilled in anti-tracking techniques.

Threat Description 

Supply chain attacks pose significant risks. As they develop, their impact expands, given that many projects rely on numerous third-party packages. Once a malicious package is published and widely used, its effects spread rapidly. Malicious dependencies can steal sensitive user information, such as environment variables, API keys, and user data, leading to data leaks. They can also execute destructive actions like file deletion, data encryption (ransomware), or system disruption. Furthermore, attackers may implant backdoors within the package, allowing long-term control over affected systems and enabling further attacks. 

The malicious dependencies targeting Kucoin and Kraken specifically steal user login keys. If users log into their personal computers or servers using usernames and passwords, there is a significant risk that their servers could be compromised. 

As of the time Kucoin’s security team issued this alert, the malicious dependency had been downloaded hundreds of times. The download statistics are as follows: 

kucoin-production, downloads: 67
kucoin-main, downloads: 70
kucoin-internal, downloads: 63
kucoin-test, downloads: 69
kucoin-dev, downloads: 66 

kraken-dev, downloads: 70
kraken-main, downloads: 65
kraken-production, downloads: 67
kraken-test, downloads: 65
kraken-internal, downloads: 64 

IOC 

From the time the attacker uploaded the malicious dependency to the moment Kucoin’s security team detected it, less than one day had passed. Kucoin’s security team has already reported the issue to NPM’s official team, though further investigation and removal may take some time. In the meantime, Kucoin has issued this public warning to alert users and help prevent compromise.