Malware Campaign Uses Ethereum Smart Contracts to Control npm Typosquat Packages

An ongoing malicious campaign is targeting npm developers, employing hundreds of typosquatted packages that mimic legitimate versions to deceive users into executing cross-platform malware. Recent investigations by Checkmarx, Phylum, and Socket reveal that the attackers are utilizing Ethereum smart contracts to distribute command-and-control (C2) server addresses. This campaign, which began garnering attention on October 31, 2024, involves at least 287 identified typosquat packages on the npm registry, indicating a broad and potentially damaging reach.

The impetus behind this campaign appears to be the targeting of developers reliant on popular libraries such as Puppeteer, Bignum.js, and various cryptocurrency tools. The malicious packages include obfuscated JavaScript that is triggered during or post-installation. This script subsequently retrieves a binary from a remote server tailored for the user’s operating system, enabling the attack to establish persistence on the machine and exfiltrate sensitive data back to the server.

A notable aspect of the malware’s functionality is its interaction with Ethereum smart contracts via the ethers.js library to obtain IP addresses. This method showcases a sophisticated level of integration, reminiscent of a previous campaign known as EtherHiding, which utilized Binance’s Smart Chain for similar purposes. This decentralized approach complicates efforts to block the malware since the threat actor can continuously update the IP addresses served by the smart contract, allowing the malware to adapt and maintain communication with its infrastructure even when individual IP addresses are targeted.

Researchers emphasize the implications of using blockchain technology in such attacks. The immutability of blockchain provides significant protective advantages for the attackers, rendering their operational architecture resistant to takedown efforts. Consequently, the decentralized nature of these communications proves challenging for network defenders, as it complicates detection and response measures.

The identity of the individuals behind the campaign remains uncertain, but linguistic clues provided by the Socket Threat Research Team suggest that they may be Russian speakers, based on the error messages observed in the malware. This insight highlights a potential link to broader geopolitical cyber threat landscapes, emphasizing the need for vigilance among developers engaged in the open-source ecosystem.

The innovative application of blockchain for command-and-control purposes marks a troubling evolution in supply chain attack techniques within the npm ecosystem. As these types of malware become increasingly sophisticated, developers are urged to exercise caution and conduct thorough reviews of software packages before integration. The landscape of open-source software is continuously being poisoned by such attacks, necessitating ongoing scrutiny and enhanced security practices within the community.

Ultimately, the utilization of blockchain technology for infrastructure behind these attacks introduces a new level of complexity to cybersecurity efforts. These developments drive home the urgent need for security awareness and proactive measures among developers and organizations relying on open-source software, as the stakes associated with supply chain vulnerabilities continue to escalate.