Malicious npm packages exploit the Ethereum blockchain for distributing malware covertly.
In a recent discovery, researchers at ReversingLabs uncovered a coordinated campaign involving malicious npm packages and GitHub repositories, targeting users and developers in the cryptocurrency space. The attackers used Ethereum smart contracts to deliver malware payloads, an attempt to evade security tools scanning npm packages for suspicious URLs and commands.
The campaign, which came to light in July, involved two rogue npm packages, and , and a replacement for one of them. These packages were not made to look legitimate or attractive for developers to include in their projects, a departure from typical supply chain attacks with rogue npm packages.
The focus of the campaign was to trick users into running code from fake GitHub repositories, which would then automatically download the npm packages as dependencies. The rogue GitHub repositories, claiming to be for automated cryptocurrency trading bots, were found to be fake with sockpuppet accounts created around the same time as the npm packages. Most commits in the repositories involved deleting and adding the project's LICENSE file.
The npm packages contained code that connects to the Ethereum blockchain to obtain URLs stored in Ethereum smart contracts, which are then accessed to download malware payloads. The operators behind these malicious activities are linked to Ethereum smart contracts created in 2023, though specific identities have not been publicly confirmed.
Last year, ReversingLabs detected 32 attack campaigns involving malicious code uploaded to open-source repositories targeting cryptocurrency-related developers and users. The attacks demonstrate that supply chain attacks on repositories are evolving, and developers and development organizations need to be vigilant against efforts to implant malicious code in legitimate applications, gain access to sensitive development assets, and steal sensitive data and digital assets.
The attackers are experienced and will likely set up new rogue npm packages and GitHub repositories. It is critical for developers to assess each library they are considering implementing before deciding to include it in their development cycle, looking beyond raw numbers of maintainers, commits, and downloads. The use of Ethereum smart contracts was likely an attempt to evade security tools scanning npm packages for suspicious URLs and commands, underscoring the need for developers to be cautious and thorough in their evaluations.
ReversingLabs researchers wrote a report on the attack detailing their findings. The report serves as a reminder for the community to remain vigilant and to adopt best practices in securing their development environments. The attacks highlight the importance of a proactive approach to security, with developers and organisations taking steps to protect their assets and users from such threats.
