3 hours ago
Hackers are utilizing Ethereum astute contracts to conceal malware payloads wrong seemingly benign npm packages, a maneuver that turns the blockchain into a resilient bid transmission and complicates takedowns.
ReversingLabs detailed 2 npm packages, colortoolsv2 and mimelib2, that work a declaration connected Ethereum to fetch a URL for a second-stage downloader alternatively than hardcoding infrastructure successful the bundle itself, a prime that reduces static indicators and leaves less clues successful root codification reviews.
The packages surfaced successful July and were removed aft disclosure. ReversingLabs traced their promotion to a web of GitHub repositories that posed arsenic trading bots, including solana-trading-bot-v2, with fake stars, inflated perpetrate histories, and sock-puppet maintainers, a societal furniture that steered developers toward the malicious dependency chain.
The downloads were low, but the method matters. Per The Hacker News, colortoolsv2 saw 7 downloads and mimelib2 one, which inactive fits opportunistic developer targeting. Snyk and OSV present database some packages arsenic malicious, providing speedy checks for teams auditing humanities builds.
History repeating itself
The on-chain bid transmission echoes a broader run that researchers tracked successful precocious 2024 crossed hundreds of npm typosquats. In that wave, packages executed instal oregon preinstall scripts that queried an Ethereum contract, retrieved a basal URL, and past downloaded OS-specific payloads named node-win.exe, node-linux, oregon node-macos.
Checkmarx documented a halfway declaration astatine 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b coupled with a wallet parameter 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, with observed infrastructure astatine 45.125.67.172:1337 and 193.233.201.21:3001, among others.
Phylum’s deobfuscation shows the ethers.js telephone to getString(address) connected the aforesaid declaration and logs the rotation of C2 addresses implicit time, a behaviour that turns declaration authorities into a movable pointer for malware retrieval. Socket independently mapped the typosquat flood and published matching IOCs, including the aforesaid declaration and wallet, confirming cross-source consistency.
An aged vulnerability continues to thrive
ReversingLabs frames the 2025 packages arsenic a continuation successful method alternatively than scale, with the twist that the astute declaration hosts the URL for the adjacent stage, not the payload.
The GitHub organisation work, including bogus stargazers and chore commits, aims to walk casual owed diligence and leverage automated dependency updates wrong clones of the fake repos.
The plan resembles earlier usage of third-party platforms for indirection, for illustration GitHub Gist oregon unreality storage, but on-chain retention adds immutability, nationalist readability, and a neutral venue that defenders cannot easy instrumentality offline.
Per ReversingLabs, Concrete IOCs from these reports see the Ethereum contracts 0x1f117a1b07c108eae05a5bccbe86922d66227e2b linked to the July packages and the 2024 declaration 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b, wallet 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84, big patterns 45.125.67.172 and 193.233.201.21 with larboard 1337 oregon 3001, and level payload names noted above.
Hashes for the 2025 2nd signifier see 021d0eef8f457eb2a9f9fb2260dd2e391f009a21, and for the 2024 wave, Checkmarx lists Windows, Linux, and macOS SHA-256 values. ReversingLabs besides published SHA-1s for each malicious npm version, which helps teams scan artifact stores for past exposure.
Protecting against the attack
For defense, the contiguous power is to forestall lifecycle scripts from moving during instal and CI. npm documents the --ignore-scripts emblem for npm ci and npm install, and teams tin acceptable it globally successful .npmrc, past selectively let indispensable builds with a abstracted step.
The Node.js information champion practices leafage advises the aforesaid approach, unneurotic with pinning versions via lockfiles and stricter reappraisal of maintainers and metadata.
Blocking outbound postulation to the IOCs supra and alerting connected physique logs that initialize ethers.js to query getString(address) supply practical detections that align with the chain-based C2 design.
The packages are gone, the signifier remains, and on-chain indirection present sits alongside typosquats and bogus repos arsenic a repeatable mode to scope developer machines.
The station Ethereum astute contracts softly propulsion javascript malware targeting developers appeared archetypal connected CryptoSlate.
English (US) 