Misbehaving npm Packages Misused to Manipulate Ethereum Intellectual Properties
In a recent security analysis, a malicious campaign targeting developers in the cryptocurrency sector has been uncovered. The campaign, which first came to light in early July of 2024, uses an unusual deployment of Ethereum smart contracts to conceal its command-and-control (C2) infrastructure.
The campaign began with a package named "colortoolsv2" on npm. This tactic made detection significantly harder as the malicious infrastructure was hidden within the blockchain code rather than inside the package files. The fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers is highlighted by this campaign.
Forks and commits were used to create the illusion of popularity, with puppet accounts acting as maintainers to inflate legitimacy. Stars and watchers came from accounts created in July, each with minimal activity. This fabricated activity helped to disguise the malicious repositories, which were presented as cryptocurrency trading systems.
GitHub repositories tied to the malicious campaign were disguised as cryptocurrency trading bots. The fake repositories had thousands of commits, multiple maintainers, and active watchers, but much of this activity was fabricated. The most prominent example was a repository named "solana-trading-bot-v2," which bundled the malicious npm package.
The malicious packages deployed a second-stage malware payload through blockchain infrastructure. Both packages leveraged Ethereum smart contracts to store and deliver the URLs used for fetching the second-stage malware. This is an unusual method as typically, malicious npm downloaders contain URLs or scripts embedded in the package itself.
The compromise of the PyPI package ultralytics in December 2024 delivered a coin miner, marking one of the 23 software supply chain attacks targeting crypto-focused developers that year. Attackers attempted to continue the operation by publishing a duplicate package, "mimelib2."
Researchers have stated that this use of smart contracts to load malicious commands is something they haven't seen previously. ReversingLabs researchers warned that developers must carefully vet libraries and maintainers, looking beyond surface metrics such as stars or downloads. The report concluded that vigilance and stronger package assessment tools are essential to protecting digital assets and development environments.
While the exact name of the group responsible for this manipulation of open-source repositories remains unspecified, the security community is urged to remain vigilant and to adopt best practices for securing their development environments and open-source dependencies.
