Alert | KuCoin Security Team Captures Supply Chain Attack Targeting Exchange Users
Introduction
On February 12, 2025, the Kucoin security team detected a supply chain attack targeting users of major centralized exchanges (CEXs) through its self-developed security scanning platform. The team quickly responded and analyzed the malicious behaviors embedded in the dependency package. As of now, the malicious dependency has been downloaded hundreds of times. Kucoin’s security team has reported the malicious dependency to NPM’s official team and is issuing this alert to warn users to stay vigilant.
Sample Analysis
Sample Behavior
Kucoin’s security scanning platform detected a dependency package disguised as the Kucoin API SDK in the official NPM repository. When installed via npm, this package retrieves secret keys stored on the user’s server or local machine and sends them to the malicious domain: http://ihlkoqayjlegsltkrlhf1sg6hpfdbmrgy[.]oast[.]fun
Sample Analysis
Analysis through Kucoin’s sandbox scanning platform revealed that this malicious dependency was masquerading as SDK dependency packages related to both Kucoin and Kraken on the NPM official repository.
These types of dependencies employ obfuscated names to trick users into installing fake dependency packages. During the installation process, they embed malicious commands that extract secret key files from the user’s local environment or server and send the data to a malicious domain via DNSlog.
The specific trigger point of the malicious behavior is as follows: the malicious command is executed during the pre-installation phase of the dependency package.
All 10 dependency packages in the repository of this malicious source exhibit the same behavior.
Attacker Profile
The investigation uncovered the following registration details associated with the attacker on the NPM official repository:
Username: superhotuser1
Email: tafes30513@shouxs[.]com
According to verifymail.io, the domain shouxs[.]com is associated with temporary email services, indicating that the attacker is an experienced hacker skilled in anti-tracking techniques.
Threat Description
Supply chain attacks pose significant risks. As they develop, their impact expands, given that many projects rely on numerous third-party packages. Once a malicious package is published and widely used, its effects spread rapidly. Malicious dependencies can steal sensitive user information, such as environment variables, API keys, and user data, leading to data leaks. They can also execute destructive actions like file deletion, data encryption (ransomware), or system disruption. Furthermore, attackers may implant backdoors within the package, allowing long-term control over affected systems and enabling further attacks.
The malicious dependencies targeting Kucoin and Kraken specifically steal user login keys. If users log into their personal computers or servers using usernames and passwords, there is a significant risk that their servers could be compromised.
As of the time Kucoin’s security team issued this alert, the malicious dependency had been downloaded hundreds of times. The download statistics are as follows:
kucoin-production, downloads: 67
kucoin-main, downloads: 70
kucoin-internal, downloads: 63
kucoin-test, downloads: 69
kucoin-dev, downloads: 66
kraken-dev, downloads: 70
kraken-main, downloads: 65
kraken-production, downloads: 67
kraken-test, downloads: 65
kraken-internal, downloads: 64
IOC
Type |
Value |
Remarks |
Domain |
Malicious Dnslog Subdomain |
|
Malicious Dependency Source URL |
||
Installation Package Hash |
cc07e9817e1da39f3d2666859cfaee3dd6d4a9052353babdc8e57c27e0bafc07 kucoin-main-19.4.9.tgz db516926a9950b9df351f714c9ed0ae4b521b1b37336480e2dd5d5c9a8118b53 kucoin-production-19.4.9.tgz 2e0e190d7f1af6e47849142eec76b69e9a5324258f6ea388696b1e2e6d87e2f8 kucoin-dev-19.4.9.tgz ea1da680560eefa3b55a483a944feeee292f273873007c09fd971582839a7989 kucoin-test-19.4.9.tgz 6de0c9adf18a472027235f435f440a86cfae58e84be087a2dde9b5eec8eba80c kucoin-internal-19.4.9.tgz 1c9c5fd79c3371838907a108298dfb5b9dd10692b021b664a54d2093b668f722 kraken-test-19.4.9.tgz 371d9ba2071b29a1e857697d751f3716f0749a05495899f2320ba78530a884c5 kraken-dev-19.4.9.tgz be50cb0c9c84fec7695ae775efc31da5c2c7279068caf08bd5c4f7e04dbc748f kraken-production-19.4.9.tgz 8b1576d6bba74aa9d66a0d7907c9afe8725f30dcf1d277c63c590adf6d8c1a4e kraken-main-19.4.9.tgz 7fa9feb4776c7115edbcd6544ed1fd8d9b0988eeda1434ba45b8ea0803e02f21 kraken-internal-19.4.9.tgz |
Malicious Dependency Package Sha256 Value |
Mitigation
From the time the attacker uploaded the malicious dependency to the moment Kucoin’s security team detected it, less than one day had passed. Kucoin’s security team has already reported the issue to NPM’s official team, though further investigation and removal may take some time. In the meantime, Kucoin has issued this public warning to alert users and help prevent compromise.